There are two different categories of protections on that directory that are alternatives to each other. The first one is a direct conversion of the ET signature (including the regex). The second one uses the metadata about the injection point but then uses OWASP ModSecurity CRS collaboration to check for the existence of previous generic rule matches.
See this blog post - http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-ids-signatures.html Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> On May 12, 2014, at 5:31 AM, "Anoop Saldanha" <anoopsalda...@gmail.com<mailto:anoopsalda...@gmail.com>> wrote: Under CRS-2.2.9, under the "slr_rules" directory, each of these 2 files have the above 2 rules but with different subsequent chains in 2 different files. Filename: modsecurity_crs_46_slr_et_wordpress_attacks.conf # (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Sc\ ripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t\ :urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB\ _SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblcl\ ick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats wind\ ow-add-excluded-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rul\ e.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" Filename: modsecurity_crs_46_slr_et_xss_attacks.conf # (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Sc\ ripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t\ :urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB\ _SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:edit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-add-exclud\ ed-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATT\ ACK/XSS-%{matched_var_name}=%{matched_var}'" ----- Similarly for rule with id: 2011258. Is this behaviour intentional, or do we have a id numbering bug? -- ------------------------------- Anoop Saldanha http://www.poona.me ------------------------------- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
