[Owasp-modsecurity-core-rule-set] [mod-security-users] base rules phpids

Ryan Barnett Ryan.Barnett at breach.com
Wed Feb 17 08:35:45 EST 2010 

Tim,
There is a separate email list for the CRS - 
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

I am cross-posting this thread however.  The security filters taken from PHPIDS are applicable to *all* web applications.  The filters use the same "attack payload detection" approach that the CRS does.  They are not specifically focusing on any PHP vulnerabilities.  They are looking for XSS, SQLi, RFI, etc...  Looking at the rule you listed below, it looks as though it is triggering on some XSS/Javascript data.  If you can post an example audit log entry it may help to diagnose.

-Ryan

________________________________________
From: Timothy Legge [timlegge at gmail.com]
Sent: Wednesday, February 17, 2010 8:23 AM
To: mod-security-users at lists.sourceforge.net
Subject: [mod-security-users] base rules phpids

Hi

We have a couple of pages that are hitting the following rule:

SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/*
"(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)"
"phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects
JavaScript location/document property access and window access
obfuscation',id:'phpids-23',tag:'WEB_ATTACK',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}"

Our site is not php is there any good reason to use the phpids rules?

Tim

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

More information about the Owasp-modsecurity-core-rule-set mailing list