Hi,
We have some proposals for stricter siblings of existing rules.
When cloning rules to stricter siblings, multiple rules at different
paranoia levels could match.
Several clones of a rule should use strict limits to avoid multiple
log entries for one request.
I take Christians example to explain what I mean:
In his example, to explain the mechanics proposal, he clones the rule
981173. The main rule is suggested to be at paranoia level 2,
accompanied with two stricter siblings at level 3 and 4.
Paranoia level 2:
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\.....\<\>].*?){5,}" \...
Paranoia level 3:
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\.....\<\>].*?){3,}" \...
Paranoia level 4:
SecRule ARGS_NAMES|ARGS|XML:/* "[\~\!\@\#\.....\<\>]" \...
In this example, requests with more than 5 special characters, and a
chosen paranoia level of 4, will create three distinct log entries in
turn.
Example with stricter limits at paranoia level 3:
SecRule ARGS_NAMES|ARGS|XML:/*"([\~\!\@\#\.....\<\>].*?){3,4}"\
Perhaps we want to cumulate log entries to emphasize the severity.
I don’t think like this idea, because it makes it more difficult to
read the logs.
What do you think about that?
Regards,
Franziska
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
