[Owasp-modsecurity-core-rule-set] SQL Rules - SQLi Score isn't set properly

Ryan Barnett RBarnett at trustwave.com
Mon Nov 1 13:21:27 EDT 2010

On 11/1/10 1:09 PM, "Paul Rosenbusch" <pr at batix.com> wrote:

> Hi,
> when I simulate SQL-Injection Attacks while using the
> owasp-modsecurity-core-rule-set, the SQLi Score shows up empty in my audit
> logfile. The inbound anomaly score is exceeded and the attack is classified as
> "SQL Injection Attack", but there seems to be a bug with the SQLi Score.
> I use modsecurity-crs_2.0.8 and checked the
> modsecurity_crs_41_sql_injection_attacks.conf -
> setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score} seems to be called
> properly on every entry.
> Does anybody have a clue why this happens?
> Thanks for your Help

Hey Paul.  I am assuming that you are referring to the TX SQLI macro
expansions in the modsecurity_crs_49_inbound_blocking.conf file (
SQLi=%{TX.SQLI_SCORE})?  If so, then yes, I see the problem.  The rules were
actually updated to use this TX collection name instead -

So, you can update the TX data in the 49 file to properly reference it -

# Alert and Block based on Anomaly Scores
SecRule TX:ANOMALY_SCORE "@gt 0" \
    "chain,phase:2,t:none,nolog,auditlog,block,msg:'Inbound Anomaly Score
        SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}"

# Alert and Block on a specific attack category such as SQL Injection
#    "phase:2,t:none,log,block,msg:'SQL Injection Detected (score
%{TX.SQL_INJECTION_SCORE}): %{tx.msg}'"

I will update the CRS as well and it will be fixed in V2.0.9


> PR
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

More information about the Owasp-modsecurity-core-rule-set mailing list