Re: [Owasp-modsecurity-core-rule-set] CRS-2.2.9 - Duplicates found for rules 2011257 and 2011258

Mon, 12 May 2014 04:25:25 -0700 

On Mon, May 12, 2014 at 2:44 PM, Anoop Saldanha <anoopsalda...@gmail.com> wrote:
> Under CRS-2.2.9, under the "slr_rules" directory, each of these 2
> files have the above 2 rules but with different subsequent chains in 2
> different files.
>
> Filename: modsecurity_crs_46_slr_et_wordpress_attacks.conf
>
> # (2011257) SpiderLabs Research (SLR) Public Vulns: ET
> WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Sc\
> ripting Attempt
> SecRule REQUEST_LINE "@contains
> /wp-content/plugins/firestats/php/window-add-excluded-url.php"
> "chain,phase:2,block,t:none,t\
> :urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR:
> ET WEB\
> _SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site
> Scripting Attempt',tag:'web-application-attack'"
>
> SecRule ARGS:edit
> "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblcl\
> ick|onsubmit|onreset|onselect|onchange|style\x3D))"
> "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats
> wind\
> ow-add-excluded-url.php Cross Site Scripting
> Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rul\
> e.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"
>
> Filename: modsecurity_crs_46_slr_et_xss_attacks.conf
>
> # (2011257) SpiderLabs Research (SLR) Public Vulns: ET
> WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Sc\
> ripting Attempt
> SecRule REQUEST_LINE "@contains
> /wp-content/plugins/firestats/php/window-add-excluded-url.php"
> "chain,phase:2,block,t:none,t\
> :urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR:
> ET WEB\
> _SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site
> Scripting Attempt',tag:'web-application-attack'"
>
> SecRule &TX:'/XSS.*ARGS:edit/' "@gt 0"
> "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats
> window-add-exclud\
> ed-url.php Cross Site Scripting
> Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATT\
> ACK/XSS-%{matched_var_name}=%{matched_var}'"
>
> -----
>
> Similarly for rule with id: 2011258.
>
> Is this behaviour intentional, or do we have a id numbering bug?
>

To add to the above, it's not just the above rule, but there are a
bunch of such rules between these 2 files, sharing the same id.

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to