[Owasp-modsecurity-core-rule-set] SQL Rules - SQLi Score isn't set properly

Ryan Barnett RBarnett at trustwave.com
Mon Nov 1 13:21:27 EDT 2010


On 11/1/10 1:09 PM, "Paul Rosenbusch" <pr at batix.com> wrote:

> Hi,
> 
> when I simulate SQL-Injection Attacks while using the
> owasp-modsecurity-core-rule-set, the SQLi Score shows up empty in my audit
> logfile. The inbound anomaly score is exceeded and the attack is classified as
> "SQL Injection Attack", but there seems to be a bug with the SQLi Score.
> 
> I use modsecurity-crs_2.0.8 and checked the
> modsecurity_crs_41_sql_injection_attacks.conf -
> setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score} seems to be called
> properly on every entry.
> 
> Does anybody have a clue why this happens?
> 
> Thanks for your Help
> 

Hey Paul.  I am assuming that you are referring to the TX SQLI macro
expansions in the modsecurity_crs_49_inbound_blocking.conf file (
SQLi=%{TX.SQLI_SCORE})?  If so, then yes, I see the problem.  The rules were
actually updated to use this TX collection name instead -
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}.

So, you can update the TX data in the 49 file to properly reference it -

# Alert and Block based on Anomaly Scores
#
SecRule TX:ANOMALY_SCORE "@gt 0" \
    "chain,phase:2,t:none,nolog,auditlog,block,msg:'Inbound Anomaly Score
Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
XSS=%{TX.XSS_SCORE}):
%{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_scor
e=%{tx.anomaly_score}"
        SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}"


# Alert and Block on a specific attack category such as SQL Injection
#
#SecRule TX:SQL_INJECTION_SCORE "@gt 0" \
#    "phase:2,t:none,log,block,msg:'SQL Injection Detected (score
%{TX.SQL_INJECTION_SCORE}): %{tx.msg}'"



I will update the CRS as well and it will be fixed in V2.0.9

-Ryan



> PR
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> 




More information about the Owasp-modsecurity-core-rule-set mailing list