[Owasp-modsecurity-core-rule-set] CRS 3.0.0rc1 renumbering issues

Christian Folini christian.folini at time-machine.ch
Tue Jan 26 19:52:18 UTC 2016


Hi there,

@Chaim: I am posting to the mailinglist, so this post is archived.

I took a closer look at the id renumbering between 2.2.9 and 3.0.0rc1.
(or between 3.0.0-dev and 3.0.0-rc1 to be more precise) as
documented in 
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv

The file brings 177 rule IDs. The origin of most of the rules
is clear. But there are a few special cases. Here is the list:

900050 : unknown (possibly introduced with 3.0.0-dev)
900051 : unknown (possibly introduced with 3.0.0-dev)
900051 : unknown (possibly introduced with 3.0.0-dev)
950000 : crs-2.2.9-base-rules-ids
950001 : crs-2.2.9-base-rules-ids
950003 : crs-2.2.9-base-rules-ids
950005 : crs-2.2.9-base-rules-ids
950009 : crs-2.2.9-base-rules-ids
950012 : crs-2.2.9-base-rules-ids
950103 : crs-2.2.9-base-rules-ids crs-2.2.9-base-rules-ids
950104 : unknown (possibly introduced with 3.0.0-dev)
950107 : crs-2.2.9-base-rules-ids
950108 : crs-2.2.9-base-rules-ids
950109 : crs-2.2.9-base-rules-ids
950116 : crs-2.2.9-base-rules-ids
950117 : crs-2.2.9-base-rules-ids
950118 : crs-2.2.9-base-rules-ids
950119 : crs-2.2.9-base-rules-ids
950120 : crs-2.2.9-base-rules-ids
950801 : crs-2.2.9-base-rules-ids
950901 : crs-2.2.9-base-rules-ids
950907 : crs-2.2.9-base-rules-ids
950910 : crs-2.2.9-base-rules-ids
950911 : crs-2.2.9-base-rules-ids
950912 : unknown (possibly introduced with 3.0.0-dev)
950913 : unknown (possibly introduced with 3.0.0-dev)
950914 : unknown (possibly introduced with 3.0.0-dev)
950915 : unknown (possibly introduced with 3.0.0-dev)
950916 : unknown (possibly introduced with 3.0.0-dev)
958230 : crs-2.2.9-base-rules-ids
958231 : crs-2.2.9-base-rules-ids
958295 : crs-2.2.9-base-rules-ids
958977 : crs-2.2.9-base-rules-ids
958978 : unknown (possibly introduced with 3.0.0-dev)
958979 : unknown (possibly introduced with 3.0.0-dev)
958980 : unknown (possibly introduced with 3.0.0-dev)
959151 : crs-2.2.9-base-rules-ids
960000 : crs-2.2.9-base-rules-ids
960006 : crs-2.2.9-base-rules-ids
960007 : crs-2.2.9-base-rules-ids
960008 : crs-2.2.9-base-rules-ids
960009 : crs-2.2.9-base-rules-ids
960010 : crs-2.2.9-base-rules-ids
960011 : crs-2.2.9-base-rules-ids
960012 : crs-2.2.9-base-rules-ids
960015 : crs-2.2.9-base-rules-ids
960016 : crs-2.2.9-base-rules-ids
960017 : crs-2.2.9-base-rules-ids
960021 : crs-2.2.9-base-rules-ids
960032 : crs-2.2.9-base-rules-ids
960034 : crs-2.2.9-base-rules-ids
960035 : crs-2.2.9-base-rules-ids
960038 : crs-2.2.9-base-rules-ids
960208 : crs-2.2.9-base-rules-ids
960209 : crs-2.2.9-base-rules-ids
960335 : crs-2.2.9-base-rules-ids
960341 : crs-2.2.9-base-rules-ids
960342 : crs-2.2.9-base-rules-ids
960343 : crs-2.2.9-base-rules-ids
960901 : crs-2.2.9-base-rules-ids
960904 : crs-2.2.9-base-rules-ids
960911 : crs-2.2.9-base-rules-ids
960912 : crs-2.2.9-base-rules-ids
960914 : crs-2.2.9-base-rules-ids
960915 : crs-2.2.9-base-rules-ids
970003 : crs-2.2.9-base-rules-ids
970004 : crs-2.2.9-base-rules-ids
970009 : crs-2.2.9-base-rules-ids
970013 : crs-2.2.9-base-rules-ids
970014 : crs-2.2.9-base-rules-ids
970015 : crs-2.2.9-base-rules-ids
970017 : unknown (possibly introduced with 3.0.0-dev)
970017 : unknown (possibly introduced with 3.0.0-dev)
970118 : crs-2.2.9-base-rules-ids
970901 : crs-2.2.9-base-rules-ids
970902 : crs-2.2.9-base-rules-ids
970904 : crs-2.2.9-base-rules-ids
973315 : crs-2.2.9-base-rules-ids
973317 : crs-2.2.9-base-rules-ids
973318 : crs-2.2.9-base-rules-ids
973319 : crs-2.2.9-base-rules-ids
973320 : crs-2.2.9-base-rules-ids
973321 : crs-2.2.9-base-rules-ids
973322 : crs-2.2.9-base-rules-ids
973323 : crs-2.2.9-base-rules-ids
973324 : crs-2.2.9-base-rules-ids
973326 : crs-2.2.9-base-rules-ids
973336 : crs-2.2.9-base-rules-ids
973337 : crs-2.2.9-base-rules-ids
973338 : crs-2.2.9-base-rules-ids
973339 : unknown (possibly introduced with 3.0.0-dev)
973340 : unknown (possibly introduced with 3.0.0-dev)
973341 : unknown (possibly introduced with 3.0.0-dev)
973342 : unknown (possibly introduced with 3.0.0-dev)
973343 : unknown (possibly introduced with 3.0.0-dev)
973344 : crs-2.2.9-base-rules-ids
973345 : crs-2.2.9-base-rules-ids
973346 : crs-2.2.9-base-rules-ids
973348 : crs-2.2.9-base-rules-ids
973350 : unknown (possibly introduced with 3.0.0-dev)
981020 : crs-2.2.9-base-rules-ids
981021 : crs-2.2.9-base-rules-ids
981044 : crs-2.2.9-experimental-rules-ids
981045 : crs-2.2.9-experimental-rules-ids
981046 : crs-2.2.9-experimental-rules-ids
981047 : crs-2.2.9-experimental-rules-ids
981048 : crs-2.2.9-experimental-rules-ids
981049 : crs-2.2.9-experimental-rules-ids
981138 : crs-2.2.9-optional-rules-ids
981139 : crs-2.2.9-optional-rules-ids
981140 : crs-2.2.9-optional-rules-ids
981141 : unknown (possibly introduced with 3.0.0-dev)
981142 : crs-2.2.9-experimental-rules-ids
981143 : crs-2.2.9-optional-rules-ids
981144 : crs-2.2.9-optional-rules-ids
981175 : crs-2.2.9-base-rules-ids
981176 : crs-2.2.9-base-rules-ids
981179 : unknown (possibly introduced with 3.0.0-dev)
981180 : crs-2.2.9-optional-rules-ids
981181 : crs-2.2.9-optional-rules-ids
981182 : crs-2.2.9-optional-rules-ids
981183 : unknown (possibly introduced with 3.0.0-dev)
981184 : crs-2.2.9-optional-rules-ids
981186 : unknown (possibly introduced with 3.0.0-dev)
981187 : crs-2.2.9-experimental-rules-ids
981200 : crs-2.2.9-base-rules-ids
981201 : crs-2.2.9-base-rules-ids
981202 : crs-2.2.9-base-rules-ids
981203 : crs-2.2.9-base-rules-ids
981204 : crs-2.2.9-base-rules-ids
981205 : crs-2.2.9-base-rules-ids
981227 : crs-2.2.9-base-rules-ids
981240 : crs-2.2.9-base-rules-ids
981241 : crs-2.2.9-base-rules-ids
981242 : crs-2.2.9-base-rules-ids
981243 : crs-2.2.9-base-rules-ids
981244 : crs-2.2.9-base-rules-ids
981245 : crs-2.2.9-base-rules-ids
981246 : crs-2.2.9-base-rules-ids
981247 : crs-2.2.9-base-rules-ids
981248 : crs-2.2.9-base-rules-ids
981249 : crs-2.2.9-base-rules-ids
981250 : crs-2.2.9-base-rules-ids
981251 : crs-2.2.9-base-rules-ids
981252 : crs-2.2.9-base-rules-ids
981253 : crs-2.2.9-base-rules-ids
981254 : crs-2.2.9-base-rules-ids
981255 : crs-2.2.9-base-rules-ids
981256 : crs-2.2.9-base-rules-ids
981257 : crs-2.2.9-base-rules-ids
981261 : unknown (possibly introduced with 3.0.0-dev)
981270 : crs-2.2.9-base-rules-ids
981272 : crs-2.2.9-base-rules-ids
981276 : crs-2.2.9-base-rules-ids
981277 : crs-2.2.9-base-rules-ids
981318 : crs-2.2.9-base-rules-ids
981319 : crs-2.2.9-base-rules-ids
981320 : crs-2.2.9-base-rules-ids
990002 : crs-2.2.9-base-rules-ids
990901 : crs-2.2.9-base-rules-ids
990902 : crs-2.2.9-base-rules-ids
9700010 : unknown (possibly introduced with 3.0.0-dev)
9700011 : unknown (possibly introduced with 3.0.0-dev)
9700012 : unknown (possibly introduced with 3.0.0-dev)
9700013 : unknown (possibly introduced with 3.0.0-dev)
9700014 : unknown (possibly introduced with 3.0.0-dev)
9700015 : unknown (possibly introduced with 3.0.0-dev)
9700016 : unknown (possibly introduced with 3.0.0-dev)
9700017 : unknown (possibly introduced with 3.0.0-dev)
9700018 : unknown (possibly introduced with 3.0.0-dev)
9700019 : unknown (possibly introduced with 3.0.0-dev)
9700020 : unknown (possibly introduced with 3.0.0-dev)
9700021 : unknown (possibly introduced with 3.0.0-dev)
9700022 : unknown (possibly introduced with 3.0.0-dev)
9700023 : unknown (possibly introduced with 3.0.0-dev)
9700024 : unknown (possibly introduced with 3.0.0-dev)
9700025 : unknown (possibly introduced with 3.0.0-dev)


So we have quite a bunch of renumbered rules, which never
appeared in a formal release. I assume they were introduced
with in the 3.0.0-dev branch.

The problem for me are the rules from the optional branches
of the 2.2.X ruleset:
- optional rules
- experimental rules
- slr rules

The slr rules seem to have been dropped. All 2088 of them.
(Anybody ever worked with these in production?)

Most of the optional rules and experimental rules are gone as
well. However, some of them seem to have been carried over:

981044 : crs-2.2.9-experimental-rules-ids
981045 : crs-2.2.9-experimental-rules-ids
981046 : crs-2.2.9-experimental-rules-ids
981047 : crs-2.2.9-experimental-rules-ids
981048 : crs-2.2.9-experimental-rules-ids
981049 : crs-2.2.9-experimental-rules-ids
981142 : crs-2.2.9-experimental-rules-ids
981187 : crs-2.2.9-experimental-rules-ids

981138 : crs-2.2.9-optional-rules-ids
981139 : crs-2.2.9-optional-rules-ids
981140 : crs-2.2.9-optional-rules-ids
981143 : crs-2.2.9-optional-rules-ids
981144 : crs-2.2.9-optional-rules-ids
981180 : crs-2.2.9-optional-rules-ids
981181 : crs-2.2.9-optional-rules-ids
981182 : crs-2.2.9-optional-rules-ids
981184 : crs-2.2.9-optional-rules-ids

But in fact, I think these are false friends:

IdNumbering.csv:	981142,910150
981142:	(from the experimental rules)
# If this is a CSP Violation Report Request, we need to enable request
# body population of the REQUEST_BODY variable. This is not done by
# default since the request body content-type is JSON.
#
SecRule REQUEST_FILENAME "@streq %{tx.csp_report_uri}" "phase:1,
    id:'981142',t:none,nolog,pass,ctl:forceRequestBodyVariable=On"

910150: rules
SecRule TX:block_spammer_ip "@eq 1" \
   "msg:'HTTP Blacklist match for spammer IP',\

IdNumbering.csv:	981182,949140
981182: (from the optional rules)
#
# Identifies Stored XSS
# If malicious input (with Meta-Characters) is echoed back on any page
  non-encoded.
SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" ...

949140:
#
# -=[ Local File Inclusion (LFI) Score ]=-
# 
SecRule TX:LFI_SCORE "@ge %{tx.lfi_score_threshold}" \
	"msg:'Local File Inclusion (LFI) Anomaly Threshold 
	Exceeded (LFI Score: %{TX.LFI_SCORE})',\

So these two examples are clearly non-aligned. And I suspect
so are the other rules with ids which used to appear in the
optional and experimental rules.

So is this simply an error with the renumbering, or 
are all optional and experimental rules dropped for 3.0.0?
And then there were new rules introduced which by accident
re-used rule IDs of the 2.2.X optional and experimental
ruleset?

I am a bit at loss here and given we are combing all the rules
for a possible inclusion in the paranoid mode, this has to
be solved.

Any response is much appreciated!

Christian


-- 
The Devil is not the Prince of Matter; the Devil is the arrogance
of the spirit, faith without smile, truth that is never seized by doubt.
The Devil is grim because he knows where he is going, and, in moving, he
always returns whence he came.         
-- Umberto Eco


More information about the Owasp-modsecurity-core-rule-set mailing list