Good evening everybody, The first runs with Noël's patch look promising. I checked the rules and they are all there and they work correctly, as far as I checked.
Here is a screenshot of a diff of the various alerts triggered with paranoia level 1 and paranoia level 2. http://imgur.com/AZcCijQ (PL 2 in pull request #2 has 20 additional rules when compared to PL 1)- And here is a graph of anomaly scores distribution for PL 1 and PL 2. Nice to see the peak being shifted to higher anomaly score due to additional alerts. http://imgur.com/xMkULKe I am unsure about the best tag for the rules. Right now, they appear as follows in the error-log: [2016-03-07 17:50:31.720874] [-:error] 127.0.0.1:38796 Vt2xV38AAQEAABpA0R0AAAAW [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:(?:,.*?[)\\\\da-f\\"'`][\\"'`](?:[\\"'`].*?[\\"'`]|\\\\Z|[^\\"'`]+))|(?:\\\\Wselect.+\\\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\\\s*?\\\\(\\\\s*?space\\\\s*?\\\\())" at ARGS:Authorization. [file "/opt/modsecurity-core-rules-3.0rc1-paranoia/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "593"] [id "942200"] [rev "2"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: , response=\\x22ae9f86d6beaa3f9ecb9a5b7e072a4138\\x22, nonce= found within ARGS:Authorization: Digest username=\\x22admin\\x22, response=\\x22ae9f86d6beaa3f9ecb9a5b7e072a4138\\x22, nonce=\\x222b089ba7985a883ab2eddcd3539a6c94\\x22, realm=\\x22adminRealm\\x22, uri=\\x22/servlet/admin\\x22"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-mutli"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "paranoia-level/2"] [hostname "localhost"] [uri "/servlet/admin"] [unique_id "Vt2xV38AAQEAABpA0R0AAAAW"] The tag is thus: [tag "paranoia-level/2"] Thoughts? Best, Christian On Sun, Mar 06, 2016 at 09:40:33PM +0100, Christian Folini wrote: > Thanks Noël, that looks better. :) > > I'll check it carefully in the next days. Would be pleased if more > people could give it a spin. > > Ahoj, > > Christian > > > > > On Sun, Mar 06, 2016 at 08:18:45PM +0100, Noël Zindel wrote: > > Walter, Christian, > > > > thanks for the assistance. I wasn’t quite sure if the 100 commits and 15k > > lines of changed code in my initial request were just an overall statistic > > ;) > > > > As it seems, I really only forgot to base my pull request on the 3.0.0-rc1 > > branch. Unfortunately it’s required to create a new pull request, since > > there’s no way to adjust the merge target for an existing one. > > > > My PR should be fixed now and we’re good to go: > > https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/300 > > <https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/300>. > > > > And thanks, Walter, for sharing your workflow. > > > > Cheers, > > Noël > > > > > > > On 06 Mar 2016, at 18:43, Walter Hop <mod...@spam.lifeforms.nl> wrote: > > > > > > Just in case anyone is interested, this is the procedure I normally > > > follow for pull requests: > > > https://gist.github.com/lifeforms/c8778a05bf0385c7f391 > > > <https://gist.github.com/lifeforms/c8778a05bf0385c7f391> > > > > > > I’ve created a pull request here just to test, though Christian may > > > review and accept it :) I’ll need the file in there so I can easily add > > > to it when working on the PHP rules. We’ll convert them to use Chaim’s > > > tool when it’s ready. > > > https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/299 > > > <https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/299> > > > > > > Cheers! > > > WH > > > > > > -- > > > Walter Hop | PGP key: https://lifeforms.nl/pgp <https://lifeforms.nl/pgp> > > > _______________________________________________ > > > Owasp-modsecurity-core-rule-set mailing list > > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
signature.asc
Description: Digital signature
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
