[Owasp-appsensor-project] ModSecurity Core Rule Set (CRS) Project Update - Rule Tag Data Linking to AppSensor

Ryan Barnett rcbarnett at gmail.com
Fri Feb 5 16:19:11 EST 2010


Greetings everyone,
I am the OWASP ModSecurity Core Rule Set (CRS) Project Leader - 
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

First off, I wanted to say that I really like the AppSensor concept.  There is some logical 
overlap between what categories of issues can be identified by AppSensor locally and what 
can be identified external to the app by an intermediary WAF.  There are however also some 
categories of issues that can only be determined when you have access to internal code 
logic and data (mainly authentication/authorization types of issues).  I also like some of 
the more behavioral detection capabilities that are presented to identify abnormal spikes 
in app usage.  I am planning to put some research into how some of this logic can be 
implemented in ModSecurity using the Lua API.

Anyways, onto my main point for this email.  While the CRS doesn't cover all of the 
detection category items in AppSensor, it does include some of them.  I have just released 
v2.0.5 of the CRS and in it, I have included additional TAG data referencing the 
corresponding AppSensor sections.  This data is presented to the user in the logs when 
rules trigger.  Here is an example when someone sends the DELETE request method, which is 
not allowed by default policy -

Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file 
"/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_30_http_policy.conf"] 
[line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "DELETE"] 
[severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag 
"OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]

Notice that the the TAG data references AppSensor section RE1.

Anyways, I just wanted to share this info and say keep up the great work!

Cheers.

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com



More information about the Owasp-appsensor-project mailing list