[Owasp-appsensor-project] Implementing OWASP AppSensor Detection Points in the OWASP ModSecurity Core Rule Set

Ryan Barnett ryan.barnett at owasp.org
Wed Aug 31 17:17:00 EDT 2011


Please forgive the cross postings, but I wanted to make sure that all
relevant parties were informed of this update.  I have begun the process of
implementing the OWASP AppSensor Detection Points
(https://www.owasp.org/index.php/AppSensor_DetectionPoints) within the OWASP
ModSecurity Core Rule Set
(https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pr
oject).  

I am pleased to announce that I have just made an update to the OWASP CRS
SVN repository that fully implements the Request Exception (RE) category -
https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException.
See the following blog post for more details -
http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-i
n-modsecurity.html

The major change in this version vs. the earlier one outlined in this blog
post 
(http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-r
eal-time-application-profiling.html) is that both the profiling and
detection logic has been moved to Lua scripts.  With the increased logic
capabilities of Lua, we are now able to more accurately profile the
application in real-time by analyzing traffic and automatically generating
profiles for the following resource characteristics -
* Enforcing the expected Request Method(s)
* Enforce the number of expected parameters (min-max range)
* Enforce parameter names
* Enforce parameter lengths (min-max range)
* Enforce Character Classes
> * Flag (e.g. - /path/to/foo.php?param)
> * Digits  (e.g. - /path/to/foo.php?param=1234)
> * Alpha  (e.g. - /path/to/foo.php?param=abcd)
> * AlphaNumeric  (e.g. - /path/to/foo.php?param=abcd1234)
> * Email  (e.g. - /path/to/foo.php?param=foo at bar.com)
> * Path  (e.g. - /path/to/foo.php?param=/dir/somefile.txt)
> * URL  (e.g. - /path/to/foo.php?param=http://somehost/dir/file.txt)
> * SafeText  (e.g. - /path/to/foo.php?param=some_data-12)
The updated rules files are in the /experimental_rules directory -
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/experi
mental_rules/
Look in the /lua folder to find the 2 scripts -
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/lua/

I encourage people to test out these new rules and to report back their
experiences ­ both good and bad.

FYI ­ I also wanted to thank Josh Zlatin for assisting with the initial Lua
script creation.

Cheers.

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20110831/d776cc3b/attachment.html 


More information about the Owasp-appsensor-project mailing list