[Owasp-modsecurity-core-rule-set] Paranoia Level: Multiple log entries of stricter siblings

Franziska Buehler franziska.buehler.schmocker at gmail.com
Sun Mar 6 09:00:08 UTC 2016


We have some proposals for stricter siblings of existing rules.
When cloning rules to stricter siblings, multiple rules at different
paranoia levels could match.
Several clones of a rule should use strict limits to avoid multiple
log entries for one request.

I take Christians example to explain what I mean:
In his example, to explain the mechanics proposal, he clones the rule
981173. The main rule is suggested to be at paranoia level 2,
accompanied with two stricter siblings at level 3 and 4.

Paranoia level 2:
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\.....\<\>].*?){5,}" \...

Paranoia level 3:
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\.....\<\>].*?){3,}" \...

Paranoia level 4:
SecRule ARGS_NAMES|ARGS|XML:/* "[\~\!\@\#\.....\<\>]" \...

In this example, requests with more than 5 special characters, and a
chosen paranoia level of 4, will create three distinct log entries in
Example with stricter limits at paranoia level 3:
SecRule ARGS_NAMES|ARGS|XML:/*"([\~\!\@\#\.....\<\>].*?){3,4}"\

Perhaps we want to cumulate log entries to emphasize the severity.
I don’t think like this idea, because it makes it more difficult to
read the logs.

What do you think about that?


More information about the Owasp-modsecurity-core-rule-set mailing list