Re: [Mod-security-developers] Question regarding transaction::processConnection()

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Jai,

In that specific case, those are the representation of SecMarkers.

Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: Jai Harpalani <jai...@mu...>
Date: Wednesday, March 7, 2018 at 12:16 PM
To: Felipe Costa <FC...@tr...>
Cc: "mod...@li..." <mod...@li...>
Subject: Re: [Mod-security-developers] Question regarding transaction::processConnection()

Using version 3.0.0 of libModSecurity.

Below is output after each set of OWASP CRS rules are added. As you can see, some rules are added to Phase 0 after each CRS rule set is added. I am not sure what these rules do.

what> modSecShowRules
Rules:
Phase: 0 (0 rules)
Phase: 1 (0 rules)
Phase: 2 (0 rules)
Phase: 3 (0 rules)
Phase: 4 (0 rules)
Phase: 5 (0 rules)
Phase: 6 (0 rules)
Phase: 7 (0 rules)
what> modSecAddRules -p /opt/esg/current/runtime/owasp-modsecurity-crs/modsecurity.conf
what> modSecShowRules
Rules:
Phase: 0 (0 rules)
Phase: 1 (0 rules)
Phase: 2 (2 rules)
    Rule ID: 200000--0x561d935fce20
    Rule ID: 200001--0x561d935fd430
Phase: 3 (4 rules)
    Rule ID: 200002--0x561d935d0690
    Rule ID: 200003--0x561d93642530
    Rule ID: 200004--0x561d93642d60
    Rule ID: 200005--0x561d935d6160
Phase: 4 (0 rules)
Phase: 5 (0 rules)
Phase: 6 (0 rules)
Phase: 7 (0 rules)
what> modSecAddRules -p /opt/esg/current/runtime/owasp-modsecurity-crs/crs-setup.conf
what> modSecShowRules
Rules:
Phase: 0 (0 rules)
Phase: 1 (0 rules)
Phase: 2 (4 rules)
    Rule ID: 200000--0x561d935fce20
    Rule ID: 200001--0x561d935fd430
    Rule ID: 900950--0x561d935d62c0
    Rule ID: 900990--0x561d935d66a0
Phase: 3 (4 rules)
    Rule ID: 200002--0x561d935d0690
    Rule ID: 200003--0x561d93642530
    Rule ID: 200004--0x561d93642d60
    Rule ID: 200005--0x561d935d6160
Phase: 4 (0 rules)
Phase: 5 (0 rules)
Phase: 6 (0 rules)
Phase: 7 (0 rules)
what> modSecAddRules -p /opt/esg/current/runtime/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
what> modSecShowRules
Rules:
Phase: 0 (1 rules)
    Rule ID: 0--0x561d92adf2a0
Phase: 1 (1 rules)
    Rule ID: 0--0x561d92adf3b0
Phase: 2 (39 rules)
(..)
Phase: 3 (5 rules)
    Rule ID: 200002--0x561d935d0690
    Rule ID: 200003--0x561d93642530
    Rule ID: 200004--0x561d93642d60
    Rule ID: 200005--0x561d935d6160
    Rule ID: 0--0x561d92adf5d0
Phase: 4 (1 rules)
    Rule ID: 0--0x561d92adf6e0
Phase: 5 (1 rules)
    Rule ID: 0--0x561d92adf7f0
Phase: 6 (1 rules)
    Rule ID: 0--0x561d92b7def0
Phase: 7 (0 rules)
what>
what> modSecAddRules -p /opt/esg/current/runtime/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
what> modSecShowRules
Rules:
Phase: 0 (2 rules)
    Rule ID: 0--0x561d92adf2a0
    Rule ID: 0--0x561d93599630
Phase: 1 (2 rules)
    Rule ID: 0--0x561d92adf3b0
    Rule ID: 0--0x561d93599760
Phase: 2 (49 rules)
(..)
    Rule ID: 0--0x561d93599da0
Phase: 7 (0 rules)
what> modSecAddRules -p /opt/esg/current/runtime/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
what> modSecShowRules
Rules:
Phase: 0 (4 rules)
    Rule ID: 0--0x561d92adf2a0
    Rule ID: 0--0x561d93599630
    Rule ID: 0--0x561d935bc6b0
    Rule ID: 0--0x561d92dface0
Phase: 1 (4 rules)
    Rule ID: 0--0x561d92adf3b0
    Rule ID: 0--0x561d93599760
(…)