[mod-security-users] How to Change the Anomaly Score for a Rule
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] How to Change the Anomaly Score for a Rule
|
From: kwenu <uz...@ya...> - 2011-08-08 15:37:30
|
Hi
Im trying to change the anomaly score for a rule that its fired when a
file name is triggered within the URL
Looking at the rule below I know that i have not included a VARIABLE
that "@ge 0" can be applied to - I realise this and have trawled thru
the debug logs but cannot identify the correct variable to use here
SecRule REQUEST_FILENAME "@streq /navlid_div.gif"
"chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'"
SecRule
&TX:'/981244-Detects.*basic.*SQL.*authentication.*bypass.*attempts.*1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME/'
"@ge 0" "setvar:tx.anomaly_score=-5"
The rule above has been put in modsecurity_crs_48_local_exceptions.conf
Heres a snippet of the debug log where i was hoping to snag the correct
@TX line from
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Target value: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Added regex subexpression to TX.0: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
Operator completed in 85 usec.
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.msg=%{rule.id}-%{rule.msg}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{rule.id} to: 981244
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{rule.msg} to: Detects basic SQL authentication bypass
attempts 1/3
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.msg" to "981244-Detects basic SQL authentication bypass
attempts 1/3".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.anomaly_score=+7
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Original collection variable: tx.anomaly_score = "13"
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Relative change: anomaly_score=13+7
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.anomaly_score" to "20".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.981244-Detects basic SQL authentication bypass attempts
1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.981244-Detects basic SQL authentication bypass attempts
1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.981244-Detects basic SQL authentication bypass attempts
1/3-WEB_ATTACK/ID-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Setting variable: tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication
bypass attempts 1/3
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{matched_var_name} to: REQUEST_FILENAME
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{tx.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Set variable "tx.981244-Detects basic SQL authentication bypass attempts
1/3-WEB_ATTACK/LFI-REQUEST_FILENAME" to "div".
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
Warning. Pattern match
"(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'|
..." at REQUEST_FILENAME. [file
"/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "560"] [id "981244"] [msg "Detects basic SQL authentication bypass
attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
T (1) urlDecodeUni: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
T (1) replaceComments: "/theme/common/image/navlid_div.gif"
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
Rule returned 1.
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Match -> mode NEXT_RULE.
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4]
Recipe: Invoking rule 952efa8; [file
"/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "562"] [id "981255"].8:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9]
Resolved macro %{TX.0} to: div
[08/Aug/2011:14:38:55 +0000]
[de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][5]
Rule 952efa8: SecRule
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
"@rx
(?i:(?:\\sexec\\s+xp_cmdshell)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*!\\s*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98);?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union
select
@)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)))"
"phase:2,nolog,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects
MSSQL code execution and information gathering
attempts',id:981255,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{m
|
