[Owasp-modsecurity-core-rule-set] Bug in CRS 2.2.2 rule 960335?

Ryan Barnett RBarnett at trustwave.com
Wed Sep 7 15:26:14 EDT 2011


From: Ty <ty733420 at gmail.com<mailto:ty733420 at gmail.com>>
Date: Wed, 7 Sep 2011 13:08:43 -0500
To: "owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>" <owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>>
Subject: [Owasp-modsecurity-core-rule-set] Bug in CRS 2.2.2 rule 960335?

Hello,

I'm running into what I think are false positives for rule 960335 in CRS 2.2.2.  I see blocked requests with "Operator GT matched 512 at ARGS:xxx" when there are clearly less than 512 parameters being sent.

Should the "SecRule ARGS" rule be replaced with "SecRule &ARGS", like the below?

Yes, good catch.  I had updated these rules and removed the & that was there by mistake on these other rules and removed this one too…  It is now fixed in SVN -

http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_23_request_limits.conf?revision=1837

-Ryan



Thanks,
Ty

# Maximum number of arguments in request limited
SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2.2.2'"
    SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id<http://rule.id/>}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



More information about the Owasp-modsecurity-core-rule-set mailing list