Right. Thanks Ryan. On Mon, May 12, 2014 at 5:23 PM, Ryan Barnett <rbarn...@trustwave.com> wrote: > There are two different categories of protections on that directory that are > alternatives to each other. The first one is a direct conversion of the ET > signature (including the regex). The second one uses the metadata about the > injection point but then uses OWASP ModSecurity CRS collaboration to check > for the existence of previous generic rule matches. > > See this blog post - > http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-ids-signatures.html > > Ryan Barnett > > Lead Security Researcher, SpiderLabs > > > > Trustwave | SMART SECURITY ON DEMAND > > www.trustwave.com > > > On May 12, 2014, at 5:31 AM, "Anoop Saldanha" <anoopsalda...@gmail.com> > wrote: > > Under CRS-2.2.9, under the "slr_rules" directory, each of these 2 > files have the above 2 rules but with different subsequent chains in 2 > different files. > > Filename: modsecurity_crs_46_slr_et_wordpress_attacks.conf > > # (2011257) SpiderLabs Research (SLR) Public Vulns: ET > WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Sc\ > ripting Attempt > SecRule REQUEST_LINE "@contains > /wp-content/plugins/firestats/php/window-add-excluded-url.php" > "chain,phase:2,block,t:none,t\ > :urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: > ET WEB\ > _SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site > Scripting Attempt',tag:'web-application-attack'" > > SecRule ARGS:edit > "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblcl\ > ick|onsubmit|onreset|onselect|onchange|style\x3D))" > "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats > wind\ > ow-add-excluded-url.php Cross Site Scripting > Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rul\ > e.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" > > Filename: modsecurity_crs_46_slr_et_xss_attacks.conf > > # (2011257) SpiderLabs Research (SLR) Public Vulns: ET > WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Sc\ > ripting Attempt > SecRule REQUEST_LINE "@contains > /wp-content/plugins/firestats/php/window-add-excluded-url.php" > "chain,phase:2,block,t:none,t\ > :urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: > ET WEB\ > _SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site > Scripting Attempt',tag:'web-application-attack'" > > SecRule &TX:'/XSS.*ARGS:edit/' "@gt 0" > "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats > window-add-exclud\ > ed-url.php Cross Site Scripting > Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATT\ > ACK/XSS-%{matched_var_name}=%{matched_var}'" > > ----- > > Similarly for rule with id: 2011258. > > Is this behaviour intentional, or do we have a id numbering bug? > > -- > ------------------------------- > Anoop Saldanha > http://www.poona.me > ------------------------------- > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format.
-- ------------------------------- Anoop Saldanha http://www.poona.me ------------------------------- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
