That is a bug and is why this is labeled as a "dev" branch :) I fixed it and just pushed an update to GitHub is you want to pull it down.
Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Riemann Riemann <riemann...@gmail.com<mailto:riemann...@gmail.com>> Date: Thursday, June 5, 2014 1:01 PM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Why are some newer rules formatted differently in crs_41_sqli? Hello, I'm updating CRS versions, and see just over 20 newer rules in CRS_41_sqli that name a tx variable (the one that's set equal to %{tx.0}) using a different format than any of the other rules in the CRS (e.g. rule id:981243). The value of %{tx.msg} is added to the variable name, instead of just %{rule.id<http://rule.id>}, which seems a bit unnecessary, and not quite as clean. This variable is usually used to check that a rule matched a particular parameter prior to adjusting the anomaly score, so this creates some inconsistencies when writing score adjustments, since %{tx.msg} contains spaces. The variable is typically named like this: setvar:tx.%{rule.id<http://rule.id>}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0} And a typical score adjustment would look like this: SecRule &TX:981243-OWASP_CRS/WEB_ATTACK/SQLI-ARGS:foobar "@ge 1" "setvar:tx.anomaly_score=-%{tx.critical_anomaly_score}" With this handful of newer rules, the variable is named like this: setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0} The only way I could figure to write a score adjustment for these was with regex (note: the regex wouldn't work with metacharacters, like \s for a space), like this: SecRule &TX:'/981243-Detects.classic.SQL.injection.probings.2/2-OWASP_CRS/WEB_ATTACK/SQLI-ARGS:foobar/' "@ge 1" "setvar:tx.anomaly_score=-%{tx.critical_ anomaly_score}" Is there any reason the format for this has changed, or is different for these rules? Is there a cleaner or more consistent way to write adjustments for these rules? Thanks in advance, Dusty ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
