search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.06k stars 1.58k forks source link

[Question] Is it possible to change a CRS rule's severity? #2496

Closed PedroFTW closed 3 years ago

PedroFTW commented 3 years ago

I want to change a rule's severity from CRITICAL to NOTICE.

The rules in question are the 951 DATA LEAK rules, that exist in OWASP's Core Rule Set

owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

I tried doing that using SecRuleUpdateActionById, but to no avail.

If this is not yet supported, I would like to transform this into a feature suggestion.

azurit commented 3 years ago

What version of modsecurity are you using?

PedroFTW commented 3 years ago

@azurit I'm on 3.0.3

azurit commented 3 years ago

You cannot change severity of whole file of rules, you need to specify IDs of rules you want to change.

PedroFTW commented 3 years ago

So, I tried doing that, and couldn't do it.

I tested on one rule, 951220 doing something like this:

SecRuleUpdateActionById 951220 "severity:'NOTICE'"

And it didn't worked.

So, I noticed that the rule 951220 itself has a chained rule that actually contains the regex to match and the setvar's to the scores

Here's the rule:

    "id:951220,\
    phase:4,\
    block,\
    capture,\
    t:none,\
    msg:'mssql SQL Information Leakage',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-mssql',\
    tag:'attack-disclosure',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/118/116/54',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.3.0',\
    severity:'CRITICAL',\
    chain"
    SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
        "capture,\
        setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

I'm guessing I need to provide the chain to modify the whole rule? Still, how would I write that?

azurit commented 3 years ago

You can use an offset for that, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleUpdateActionById

Anyway, i don't think this is the problem. Where did you put your SecRuleUpdateActionById? It must go into /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.

PedroFTW commented 3 years ago

So, in theory, it's set in a different file that is then appended to the .conf when building the container.

I'll test it out inserting directly to check if the problem is there.

azurit commented 3 years ago

In fact, it just must be set AFTER the rule definition which you want to update. File /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf is loaded as last one.

azurit commented 3 years ago

Btw, why you want to change the severity?

PedroFTW commented 3 years ago

Well, in the system we have several tables that return some SQL keywords and. With the rule set as critical, every one of them will cause a failure in modsec. I want to change it to a notice so we still keep track of data leaks, without failing on points where the system actually needs to return SQL keywords.

I don't want to treat it endpoint by endpoint cause it's a fuckton of them. Hahaha

azurit commented 3 years ago

By changing the severity you won't stop CRS from blocking the request.

PedroFTW commented 3 years ago

Well, as far as I understood, a notice hands out a lower score than a critical error. So, it would take multiple to block it, isn't it like that? Sorry for the ignorance. Hahaha

azurit commented 3 years ago

Yes but score is not determined by severity variable - see the rule you posted above, score is added at the end using 'setvar' actions.

PedroFTW commented 3 years ago

Hmm, I see, so is it possible for me to change the chained rule action so I can alter the setvar's?

azurit commented 3 years ago

I have never tried to change setvars so i'm not sure if you'll be successfull. Anyway, you can access chained rule using an offset, see here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleUpdateActionById

So, it should be: SecRuleUpdateActionById 951220:1 "..."

PedroFTW commented 3 years ago

@azurit Thanks for your help. I was able to solve my problem with your help.