Difference between revisions of "ModSecurity CRS Rule Description Template"

From OWASP
Jump to: navigation, search
(Created page with ' - This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to the OWASP ModSecurity Core Rule Set (CRS) Project. - Project participants…')
 
Line 12: Line 12:
 
Provide rule background.  What is the rule looking for?  What attack is trying to identify or prevent.
 
Provide rule background.  What is the rule looking for?  What attack is trying to identify or prevent.
  
=== Impact: Critical ===
+
=== Impact ===
 
This should be the Severity rating specified in the rule.
 
This should be the Severity rating specified in the rule.
  

Revision as of 21:08, 31 August 2010

- This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to
    the OWASP ModSecurity Core Rule Set (CRS) Project.
- Project participants are encouraged to copy this template and create landing pages for each CRS rule
- Use this template and create a new page using the following format - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX (where XXXXX is the CRS ruleID)

Contents

Rule ID: XXXXX

Rule

Provide the entire rule/rule chain here

Rule Summary

Provide rule background. What is the rule looking for? What attack is trying to identify or prevent.

Impact

This should be the Severity rating specified in the rule.

Detailed Information

Provide detailed information about the rule construction such as:

  • Why the variable list specified was used
  • A description of the regular expression used - what is is looking for in plain english
  • What actions are used and why

Affected Software

If this attack only affects a specific piece of public software (if this is a virtual patch for a public disclosure) specify which info.

Attack Scenarios

Provide any data around "how" the attack is carried out.

Ease of Attack

How easy is it for an attacker to carry out the attack?

Ease of Detection

How easy is it for a defender to use ModSecurity to accurately detect this attack?

False Positives

If there are any known false positives - specify them here

False Negatives

Are there any know issues with evasions or how an attacker might bypass detection?

Corrective Action

Any tuning recommendations for the existing rule?

Contributors

Specify your name and email if you want credit for the rule or documentation of it.

Additional References

Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page).