Hello Walter, On Tue, Feb 02, 2016 at 02:02:13PM +0100, Walter Hop wrote: > Thanks, that’s a nice torrent of mail you sent there! :) I’ll have time to > look at the rules next weekend, although maybe I’ll sneak in a few replies > before that.
Cool. > Before making a good judgement call on SQLi and XSS related rules, I still > need to know a bit more about libinjection. > > We should recommend moving a rule into paranoia if its cost is too high > relative to its benefit. > But, for SQLi and XSS rules, this depends on libinjection, which I haven’t > really exercised yet. Libinjection has been around for a few years. I always considered it underdocumented and too much of a one man show. After my rant in https://www.netnea.com/cms/2015/12/20/modsec-crs-2-2-x-vs-3-0-0-dev/ I got in touch with the developer Nick Galbreath who admitted many shortcomings and promised to clean up his project. In fact we are seeing more activity with libinjection on github now https://github.com/client9/libinjection/pulse/monthly But it's still an almost exclusive and I am convinced nobody outside Nick did a through code review. Meanwhile Chaim told me, libinjection is included in other WAF products as well and I agree it is a great piece of code. It's just that I feel uneasy with the state of the project and the linking of it into my parameter parser aimed to stop evil attackers (trying to exploit libinjection). With that being said, the blogpost above showed me, that libinjection is able to detect a great many sqli and xss attacks. But it is far from complete. (See blogpost for numbers) So I think it is _one_ rule in a set of rules aimed to stop sqli and xss. Diversity is key. Also: A realworld sqlinjection typically triggers a variety of anti-sqli rules. With _only_ libinject it would be a single critical alert. > If libinjection in itself already has a high sensitivity, the benefits of the > regexp based rules will become lower. After all, an attack will then likely > already be flagged without those rules. In that case, we could move rules > from normal to paranoid mode, or dismiss currently removed rules, much more > easily. I see your point. I think that would work in strict blocking mode. In anomaly scoring mode, it would only work with a anomaly scoring limit of 5 or lower. Otherwise, sqlinjections would simply trigger libinjection, but fly under the radar of the final blocking rule. Thanks for your input and food for thought. Interesting. Ahoj, Christian -- People demand freedom of speech as a compensation for the freedom of thought which they seldom use. -- Soren Kierkegaard _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
