[Owasp-modsecurity-core-rule-set] SQL Rules - SQLi Score isn't set properly

Paul Rosenbusch pr at batix.com
Tue Nov 2 07:08:44 EDT 2010


Hi Ray,

In addition to your fix I needed to update TX.SQLI_SCORE in modsecurity_crs_60_correlation.conf too. Now everything works fine.

Thank you very much.

-Paul

-----Ursprüngliche Nachricht-----
Von: Ryan Barnett [mailto:RBarnett at trustwave.com] 
Gesendet: Montag, 1. November 2010 18:21
An: Paul Rosenbusch; owasp-modsecurity-core-rule-set at lists.owasp.org
Betreff: Re: [Owasp-modsecurity-core-rule-set] SQL Rules - SQLi Score isn't set properly

On 11/1/10 1:09 PM, "Paul Rosenbusch" <pr at batix.com> wrote:

> Hi,
> 
> when I simulate SQL-Injection Attacks while using the 
> owasp-modsecurity-core-rule-set, the SQLi Score shows up empty in my 
> audit logfile. The inbound anomaly score is exceeded and the attack is 
> classified as "SQL Injection Attack", but there seems to be a bug with the SQLi Score.
> 
> I use modsecurity-crs_2.0.8 and checked the 
> modsecurity_crs_41_sql_injection_attacks.conf - 
> setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score} seems to 
> be called properly on every entry.
> 
> Does anybody have a clue why this happens?
> 
> Thanks for your Help
> 

Hey Paul.  I am assuming that you are referring to the TX SQLI macro expansions in the modsecurity_crs_49_inbound_blocking.conf file ( SQLi=%{TX.SQLI_SCORE})?  If so, then yes, I see the problem.  The rules were actually updated to use this TX collection name instead - setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}.

So, you can update the TX data in the 49 file to properly reference it -

# Alert and Block based on Anomaly Scores # SecRule TX:ANOMALY_SCORE "@gt 0" \
    "chain,phase:2,t:none,nolog,auditlog,block,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE},
XSS=%{TX.XSS_SCORE}):
%{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_scor
e=%{tx.anomaly_score}"
        SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}"


# Alert and Block on a specific attack category such as SQL Injection # #SecRule TX:SQL_INJECTION_SCORE "@gt 0" \
#    "phase:2,t:none,log,block,msg:'SQL Injection Detected (score
%{TX.SQL_INJECTION_SCORE}): %{tx.msg}'"



I will update the CRS as well and it will be fixed in V2.0.9

-Ryan



> PR
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list 
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-s
> et
> 




More information about the Owasp-modsecurity-core-rule-set mailing list