Morris,
This works as advertised. Thanks for sharing.
If you are running it outside of the CRS, you may want to remove all
the tags and the CRS-specific setvars.
Ahoj,
Christian
On Wed, Aug 24, 2016 at 04:57:39PM +0800, Morris Taylor wrote:
> Hi there:
>
> We have backported a rule from CRSv3 to CRSv2 for preventing web
> applications from HTTP parameter pollution attacks. Followings are
> the rules:
>
> SecRule ARGS_NAMES "." "phase:2, id:2001, rev:'2',
> ver:'OWASP_CRS/3.0.0', pass, nolog, tag:'application-multi',
> tag:'language-multi', tag:'platform-multi', tag:'attack-protocol',
> tag:'paranoia-level/3',
> tag:'CAPEC-460',setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
>
> SecRule TX:/paramcounter_.*/ "@gt 1" "msg:'HTTP Parameter Pollution
> (%{TX.1})', chain, phase:2, id:2002, rev:'2', ver:'OWASP_CRS/3.0.0',
> maturity:'7', accuracy:'8', severity:'CRITICAL', block,
> tag:'application-multi',
> tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/3',tag:'CAPEC-460',logdata:'Matched
> Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
> SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)"
> "capture,setvar:tx.msg=%{rule.msg},
>
> setvar:tx.http_violation_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}"
>
> The differences between CRSv3 and the rules above are as following:
> 1. Phase value are set to 2 instead of "request" to ensure the
> compatibility for ancient modsecurity users who are not using
> modsecurity with early request module enabled.
> 2. Rule id is modified to suit our case.
> 3. Multiline rules is reformatted into one line per rule.
> 4. Default action of the second rule is changed to block from pass,
> please be noted this change may cause some new alarms on your side.
>
> I have performed several simple test with modsecurity 2.8 on my side,
> and it works perfectly. I hope this sharing will help those who are also
> suffering in http parameter attacks and don't have enough time to patch
> their applications. Please correct me directly if you see anything is
> wrong here. Thanks!
>
>
> --
> BR, Morris
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
