Hello,
I'm updating CRS versions, and see just over 20 newer rules in CRS_41_sqli
that name a tx variable (the one that's set equal to %{tx.0}) using a
different format than any of the other rules in the CRS (e.g. rule
id:981243). The value of %{tx.msg} is added to the variable name, instead
of just %{rule.id}, which seems a bit unnecessary, and not quite as clean.
This variable is usually used to check that a rule matched a particular
parameter prior to adjusting the anomaly score, so this creates some
inconsistencies when writing score adjustments, since %{tx.msg} contains
spaces.
The variable is typically named like this:
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}
And a typical score adjustment would look like this:
SecRule &TX:981243-OWASP_CRS/WEB_ATTACK/SQLI-ARGS:foobar "@ge 1"
"setvar:tx.anomaly_score=-%{tx.critical_anomaly_score}"
With this handful of newer rules, the variable is named like this:
setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}
The only way I could figure to write a score adjustment for these was with
regex (note: the regex wouldn't work with metacharacters, like \s for a
space), like this:
SecRule
&TX:'/981243-Detects.classic.SQL.injection.probings.2/2-OWASP_CRS/WEB_ATTACK/SQLI-ARGS:foobar/'
"@ge 1" "setvar:tx.anomaly_score=-%{tx.critical_
anomaly_score}"
Is there any reason the format for this has changed, or is different for
these rules? Is there a cleaner or more consistent way to write adjustments
for these rules?
Thanks in advance,
Dusty
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
