[mod-security-users] How to Change the Anomaly Score for a Rule
Brought to you by:
victorhora,
zimmerletw
From: kwenu <uz...@ya...> - 2011-08-08 15:37:30
|
Hi Im trying to change the anomaly score for a rule that its fired when a file name is triggered within the URL Looking at the rule below I know that i have not included a VARIABLE that "@ge 0" can be applied to - I realise this and have trawled thru the debug logs but cannot identify the correct variable to use here SecRule REQUEST_FILENAME "@streq /navlid_div.gif" "chain,phase:2,t:none,log,pass,msg:'Adjusting FP Score'" SecRule &TX:'/981244-Detects.*basic.*SQL.*authentication.*bypass.*attempts.*1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME/' "@ge 0" "setvar:tx.anomaly_score=-5" The rule above has been put in modsecurity_crs_48_local_exceptions.conf Heres a snippet of the debug log where i was hoping to snag the correct @TX line from [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Target value: "/theme/common/image/navlid_div.gif" [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Added regex subexpression to TX.0: div [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4] Operator completed in 85 usec. [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.msg=%{rule.id}-%{rule.msg} [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{rule.id} to: 981244 [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{rule.msg} to: Detects basic SQL authentication bypass attempts 1/3 [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.msg" to "981244-Detects basic SQL authentication bypass attempts 1/3". [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.anomaly_score=+7 [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Original collection variable: tx.anomaly_score = "13" [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Relative change: anomaly_score=13+7 [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.anomaly_score" to "20". [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0} [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication bypass attempts 1/3 [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{matched_var_name} to: REQUEST_FILENAME [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.0} to: div [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div". [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0} [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/SQLI-REQUEST_FILENAME" to "div". [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0} [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication bypass attempts 1/3 [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{matched_var_name} to: REQUEST_FILENAME [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.0} to: div [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/ID-REQUEST_FILENAME" to "div". [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Setting variable: tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0} [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.msg} to: 981244-Detects basic SQL authentication bypass attempts 1/3 [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{matched_var_name} to: REQUEST_FILENAME [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{tx.0} to: div [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Set variable "tx.981244-Detects basic SQL authentication bypass attempts 1/3-WEB_ATTACK/LFI-REQUEST_FILENAME" to "div". [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{TX.0} to: div [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{TX.0} to: div [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4] Warning. Pattern match "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'| ..." at REQUEST_FILENAME. [file "/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "560"] [id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] T (1) urlDecodeUni: "/theme/common/image/navlid_div.gif" [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] T (1) replaceComments: "/theme/common/image/navlid_div.gif" [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4] Rule returned 1. [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Match -> mode NEXT_RULE. [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][4] Recipe: Invoking rule 952efa8; [file "/pxy/shared/conf/modsecurity.d/crs_2.2.1/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "562"] [id "981255"].8:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][9] Resolved macro %{TX.0} to: div [08/Aug/2011:14:38:55 +0000] [de.eudev2.websys.tmcs/sid#c030fd8][rid#cb429d0][/theme/common/image/navlid_div.gif][5] Rule 952efa8: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\sexec\\s+xp_cmdshell)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*!\\s*[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98);?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)))" "phase:2,nolog,auditlog,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects MSSQL code execution and information gathering attempts',id:981255,tag:WEB_ATTACK/SQLI,tag:WEB_ATTACK/ID,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0},setvar:tx.%{tx.msg}-WEB_ATTACK/ID-%{m |