coreruleset | OWASP ModSecurity Core Rule Set | Cybersecurity library
kandi X-RAY | coreruleset Summary
kandi X-RAY | coreruleset Summary
OWASP ModSecurity Core Rule Set (Official Repository)
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Appends a ctl command .
- Check for ignore cases .
- Compare two regexs .
- Main entry point .
- Process configuration lines .
- Build the argument parser for the compare command .
- Return a list of lines to process .
- Run the assembler .
- Build command line parser for update .
- Parse the config file
coreruleset Key Features
coreruleset Examples and Code Snippets
Lines of Code : 3License : Permissive (Apache-2.0)
Copyinclude caddypath/coraza.conf-recommended
include caddypath/coreruleset/crs-setup.conf.example
include caddypath/coreruleset/rules/*.conf
sudo ./SETUP
sudo ./SETUP [branch] [no-ipset]
Community Discussions
Trending Discussions on coreruleset
QUESTION
We use ModSecurity 3.X for NGIX with the OWASP core rule set.
We have a problem with image in base64 and the rule 941170.
The pattern of the rule is
...ANSWER
Answered 2021-Oct-27 at 12:53The SecRuleUpdateTargetById rule exclusion you provided looks good to me.
To be clear, the effect of that rule exclusion is:
- Rule 941170 no longer applies to the
screenargument - Rule 941170 still applies to all other arguments as usual
- All other rules still apply to all arguments, including
screen, as usual
Is there a reason you're not happy with this?
If you're running a super-high security setup which means that the SecRuleUpdateTargetById rule exclusion is too coarse, two suggestions I would make:
If appropriate for your web application, limit the rule exclusion for rule 941170 to only apply to the
screenargument and only for a given location (for example, only for requests to/login.php)Limit the rule exclusion for rule 941170 to only apply to the
screenargument and only whenscreenbegins with the stringdata:image/jpeg;base64
You could even combine both of those suggestions to be extremely specific.
If either, or both, of those sound applicable to your situation, let me know if you would like help to put those rule exclusions together.
Also, what paranoia level are you currently running in, out of interest?
Regarding your suggestion to modify rule 941170's regular expression, it's a bad idea to directly modify third-party rules, such as the Core Rule Set rules. You essentially end up creating your own fork of the rule set, and you're left with the responsibility for maintaining any modifications you make. Upgrading the rule set would become difficult: you would have to remember to keep re-applying, and possibly change, your modifications. In short: rule exclusions are the way to go!
UpdateThe second rule exclusion described above may look something like this:
QUESTION
Summary:
I have setup a basic WAF with mod-security and the OWASP coreruleset 3.3.2. When using the WAF I see lots of warnings in modsec_audit.log regarding the CONNECT method, which trigger crs rule 920100:
Message: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./](?::\d+)?)?/[^?#](?:\?[^#\s])?(?:#[\S])?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \)\s+[\w\./]+|get /[^?#](?:\?[^#\s])?(?:#[\S])?)$" against "REQUEST_LINE" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "63"] [id "920100"] [msg "Invalid HTTP Request Line"] [data "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]
Details regarding setup:
I set up the WAF with mod_security 2.9.2 and httpd. I used the crs-setup.conf.example provided by crs and only modified these two settings regarding threshhold and allowing the CONNECT http method. (CONNECT method is used in our setup for proxy purposes).
ANSWER
Answered 2021-Oct-13 at 21:58Looking at the part of the regular expression for rule 920100 that deals with the CONNECT method:
QUESTION
I want to create an exclusion to disable specific rule (ID:920180) in my system. how should i write the syntax in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Here my exclusion but I'm not sure fully covered to disable it:
...ANSWER
Answered 2021-Jun-03 at 14:46Your exclusion rule is almost correct. But the & in front of REQUEST_HEADERS:Transfer-Encoding is missing.
&REQUEST_HEADERS:Transfer-Encoding (with the ampersand) counts the numbers of Transfer-Encoding headers.
Without the & (ampersand), the content of the Transfer-Encoding header is compared to the value 0.
I'm not sure whether you really want to remove the rule in general for nonexistent Transfer-Encoding headers, or whether you want to restrict this to certain clients (IP addresses, user agents, ...). But that is your decision. I don't know exactly what you need.
But in any case, this exclusion rule will now work.
By the way: The current OWASP Core Rule Set repository is https://github.com/coreruleset/coreruleset/.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install coreruleset
You can use coreruleset like any standard Python library. You will need to make sure that you have a development environment consisting of a Python distribution including header files, a compiler, pip, and git installed. Make sure that your pip, setuptools, and wheel are up to date. When using pip it is generally recommended to install packages in a virtual environment to avoid changes to the system.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
