[Owasp-appsensor-project] ModSecurity Core Rule Set (CRS) Project Update - Rule Tag Data Linking to AppSensor

Michael Coates michael.coates at owasp.org
Sun Feb 7 13:06:10 EST 2010


Ryan,

This is great news. We are happy to be linked together with the ModSecurity
project.  Would you be willing to share you mappings? We will soon be
expanding the information provided for each detection point and would also
like to cross reference mapping information just as you have done.

Also, let's talk and see how these two projects can continue to work
together.

Thanks,

Michael Coates
OWASP Global Membership Committee
AppSensor Project Lead


On Fri, Feb 5, 2010 at 3:19 PM, Ryan Barnett <rcbarnett at gmail.com> wrote:

> Greetings everyone,
> I am the OWASP ModSecurity Core Rule Set (CRS) Project Leader -
>
> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
>
> First off, I wanted to say that I really like the AppSensor concept.  There
> is some logical
> overlap between what categories of issues can be identified by AppSensor
> locally and what
> can be identified external to the app by an intermediary WAF.  There are
> however also some
> categories of issues that can only be determined when you have access to
> internal code
> logic and data (mainly authentication/authorization types of issues).  I
> also like some of
> the more behavioral detection capabilities that are presented to identify
> abnormal spikes
> in app usage.  I am planning to put some research into how some of this
> logic can be
> implemented in ModSecurity using the Lua API.
>
> Anyways, onto my main point for this email.  While the CRS doesn't cover
> all of the
> detection category items in AppSensor, it does include some of them.  I
> have just released
> v2.0.5 of the CRS and in it, I have included additional TAG data
> referencing the
> corresponding AppSensor sections.  This data is presented to the user in
> the logs when
> rules trigger.  Here is an example when someone sends the DELETE request
> method, which is
> not allowed by default policy -
>
> Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD"
> required. [file
>
> "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_30_http_policy.conf"]
> [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data
> "DELETE"]
> [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag
> "WASCTC/WASC-15"] [tag
> "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
>
> Notice that the the TAG data references AppSensor section RE1.
>
> Anyways, I just wanted to share this info and say keep up the great work!
>
> Cheers.
>
> --
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20100207/fabca68b/attachment.html 


More information about the Owasp-appsensor-project mailing list