Closed PedroFTW closed 3 years ago
What version of modsecurity are you using?
@azurit I'm on 3.0.3
You cannot change severity of whole file of rules, you need to specify IDs of rules you want to change.
So, I tried doing that, and couldn't do it.
I tested on one rule, 951220 doing something like this:
SecRuleUpdateActionById 951220 "severity:'NOTICE'"
And it didn't worked.
So, I noticed that the rule 951220 itself has a chained rule that actually contains the regex to match and the setvar's to the scores
Here's the rule:
"id:951220,\
phase:4,\
block,\
capture,\
t:none,\
msg:'mssql SQL Information Leakage',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-mssql',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.0',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
"capture,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
I'm guessing I need to provide the chain to modify the whole rule? Still, how would I write that?
You can use an offset for that, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleUpdateActionById
Anyway, i don't think this is the problem. Where did you put your SecRuleUpdateActionById
? It must go into /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
.
So, in theory, it's set in a different file that is then appended to the .conf when building the container.
I'll test it out inserting directly to check if the problem is there.
In fact, it just must be set AFTER the rule definition which you want to update. File /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
is loaded as last one.
Btw, why you want to change the severity?
Well, in the system we have several tables that return some SQL keywords and. With the rule set as critical, every one of them will cause a failure in modsec. I want to change it to a notice so we still keep track of data leaks, without failing on points where the system actually needs to return SQL keywords.
I don't want to treat it endpoint by endpoint cause it's a fuckton of them. Hahaha
By changing the severity you won't stop CRS from blocking the request.
Well, as far as I understood, a notice hands out a lower score than a critical error. So, it would take multiple to block it, isn't it like that? Sorry for the ignorance. Hahaha
Yes but score is not determined by severity variable - see the rule you posted above, score is added at the end using 'setvar' actions.
Hmm, I see, so is it possible for me to change the chained rule action so I can alter the setvar's?
I have never tried to change setvars so i'm not sure if you'll be successfull. Anyway, you can access chained rule using an offset, see here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleUpdateActionById
So, it should be:
SecRuleUpdateActionById 951220:1 "..."
@azurit Thanks for your help. I was able to solve my problem with your help.
I want to change a rule's severity from CRITICAL to NOTICE.
The rules in question are the 951 DATA LEAK rules, that exist in OWASP's Core Rule Set
owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
I tried doing that using SecRuleUpdateActionById, but to no avail.
If this is not yet supported, I would like to transform this into a feature suggestion.