Difference between revisions of "ModSecurity CRS Rule Description Template"

From OWASP
Jump to: navigation, search
(Created page with ' - This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to the OWASP ModSecurity Core Rule Set (CRS) Project. - Project participants…')
 
(Rule ID: XXXXX)
 
(9 intermediate revisions by one user not shown)
Line 5: Line 5:
 
   
 
   
 
== Rule ID: XXXXX ==
 
== Rule ID: XXXXX ==
 
+
<table style="border-style:double;border-width:3px;" >
=== Rule ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule ID</td>
Provide the entire rule/rule chain here
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
+
Place Rule ID Here
=== Rule Summary ===
+
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Message</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
Place Rule Message Here
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Summary</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
Provide rule background.  What is the rule looking for?  What attack is trying to identify or prevent.
 
Provide rule background.  What is the rule looking for?  What attack is trying to identify or prevent.
 
+
</td></tr>
=== Impact: Critical ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Impact</td>
This should be the Severity rating specified in the rule.
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
+
This should be the Severity rating specified in the rule. (Example: 4 - Warning)
=== Detailed Information ===
+
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
<code>Provide the entire rule/rule chain here</code>
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Detailed Rule Information</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
Provide detailed information about the rule construction such as:
 
Provide detailed information about the rule construction such as:
 
*Why the variable list specified was used
 
*Why the variable list specified was used
*A description of the regular expression used - what is is looking for in plain english
 
 
*What actions are used and why
 
*What actions are used and why
 +
<pre>
 +
A description of the regular expression used - what is is looking for in plain english (Example RegEx analysis from Expresso tool)
 +
</pre>
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Example Payload</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
Provide an example payload that will trigger this rule.
  
=== Affected Software ===
+
Example Apache log entry or HTTP payload captured by another tool
If this attack only affects a specific piece of public software (if this is a virtual patch for a public disclosure) specify which info.
+
</td></tr>
 
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Example Audit Log Entry</td>
=== Attack Scenarios ===
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
Include an example ModSecurity Audit Log Entry for when this rule matchs.
 +
<pre>
 +
Audit Log Entry
 +
</pre>
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Attack Scenarios</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
Provide any data around "how" the attack is carried out.
 
Provide any data around "how" the attack is carried out.
 
+
</td></tr>
=== Ease of Attack ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Ease of Attack</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
How easy is it for an attacker to carry out the attack?
 
How easy is it for an attacker to carry out the attack?
 
+
</td></tr>
=== Ease of Detection ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Ease of Detection</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
How easy is it for a defender to use ModSecurity to accurately detect this attack?
 
How easy is it for a defender to use ModSecurity to accurately detect this attack?
 
+
</td></tr>
=== False Positives ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Positives</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
If there are any known false positives - specify them here
 
If there are any known false positives - specify them here
 +
Also sign-up for the Reporting False Positives mail-list here:
 +
https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives
  
=== False Negatives ===
+
Send FP Report emails here:
 +
mod-security-report-false-positives[[Image:Justat.gif|10x]]lists.sourceforge.net
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Negatives</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
Are there any know issues with evasions or how an attacker might bypass detection?
 
Are there any know issues with evasions or how an attacker might bypass detection?
 
+
</td></tr>
=== Corrective Action  ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Maturity</td>
Any tuning recommendations for the existing rule?
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
+
10 point scale (0-9) where:<br>0 = Beta/Experimental <br>9 = Heavily Tested
=== Contributors ===
+
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
10 point scale (0-9) where:<br>0 = High % of FP<br>5 = No false positives reported
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
Specify your name and email if you want credit for the rule or documentation of it.
 
Specify your name and email if you want credit for the rule or documentation of it.
 +
Example: Ryan Barnett - ryan.barnett[[Image:Justat.gif|10px]]owasp.org
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page).
 +
</td></tr>
 +
</table>
  
=== Additional References ===
+
[[Category:OWASP ModSecurity Core Rule Set Project]]
Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page).
+

Latest revision as of 12:27, 9 May 2011

- This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to
    the OWASP ModSecurity Core Rule Set (CRS) Project.
- Project participants are encouraged to copy this template and create landing pages for each CRS rule
- Use this template and create a new page using the following format - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX (where XXXXX is the CRS ruleID)

Rule ID: XXXXX

Rule ID

Place Rule ID Here

Rule Message

Place Rule Message Here

Rule Summary

Provide rule background. What is the rule looking for? What attack is trying to identify or prevent.

Impact

This should be the Severity rating specified in the rule. (Example: 4 - Warning)

Rule

Provide the entire rule/rule chain here

Detailed Rule Information

Provide detailed information about the rule construction such as:

  • Why the variable list specified was used
  • What actions are used and why
A description of the regular expression used - what is is looking for in plain english (Example RegEx analysis from Expresso tool)
Example Payload

Provide an example payload that will trigger this rule.

Example Apache log entry or HTTP payload captured by another tool
Example Audit Log Entry

Include an example ModSecurity Audit Log Entry for when this rule matchs.

Audit Log Entry
Attack Scenarios

Provide any data around "how" the attack is carried out.

Ease of Attack

How easy is it for an attacker to carry out the attack?

Ease of Detection

How easy is it for a defender to use ModSecurity to accurately detect this attack?

False Positives

If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives

Send FP Report emails here: mod-security-report-false-positives10xlists.sourceforge.net

False Negatives

Are there any know issues with evasions or how an attacker might bypass detection?

Rule Maturity

10 point scale (0-9) where:
0 = Beta/Experimental
9 = Heavily Tested

Rule Accuracy

10 point scale (0-9) where:
0 = High % of FP
5 = No false positives reported

Rule Documentation Contributor(s)

Specify your name and email if you want credit for the rule or documentation of it. Example: Ryan Barnett - ryan.barnettJustat.gifowasp.org

Additional References

Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page).