-
Notifications
You must be signed in to change notification settings - Fork 724
-
Notifications
You must be signed in to change notification settings - Fork 724
Improve SQL character anomaly rules (942420/942430) #317
Comments
These rules are very hard to deal with. We have talked about them a great deal and still we 942420: This rule targets only cookies and cookie names and as is, there is a limit of 8 special I have tried to run a body of about legitimate 8K requests against this rule and change the
As you can see, there is a large group of FPs which does not disappear even with a limit of Here are the numbers in detail. Percents calculated again a number of 8262 reqs (as the rule
So no matter how high the limit, there are FPs, that won't go away. I have then checked out the I think this warrants Walter's call to push these rules to higher paranoia levels, I suggest to
These limits are based on the numbers above. I doubt my traffic is representative, but it's the I have also looked into attack traffic based on a body of nikto/sqlmap requests. But these two Let's turn to 942430. This rule works on the the arguments: Here we see a substantial reduction of FPs when we raise the limit:
So we have fewer FPs and they get fewer with a growing limit. When looking at the attack traffic,
I think this rule clearly had its merits. It catches a substantial amount of attacks. The So I suggest the following:
With these limits, we catch 10%, 20% and 28% of the attacks in my test set. I am open to a debate about the individual limits. The ones I propose are reasonable, I think. Leaving 942420 out of PL2 and having 942430 present in PL2 also seems the right move right now. |
I forgot to add that setting the anomaly score to "anomaly" / 4 for these rules and siblings seems a good idea to me. |
Terrific stats! This is exactly what we need. The graphs show clearly that we can make these rules more palatable with small changes. I think you're right on the mark with the basic character limits and paranoia levels. I'm not yet fully convinced on the stricter sibling paranoia levels. This is mainly because of the 'stacking effect' of the multiple subling rules firing. which causes the total score to go beyond anomaly to critical severity. So if a person is running at PL3, hitting the regexp of 942430 with just 6 characters will cause 2 times the anomaly score, so a critical score. This is a much more strong effect than CRS2's anomaly score, which I already found hard to deal with in production. It's a hard call, as I also agree that increasing paranoia can definitely have such effects, but I think with such FP prone rules, I have a slight preference for reserving them for PL4 and PL5 respectively. So I would prefer:
|
Thanks for the feedback Walter. We have defined PL 0-4. Of course, this is completely arbitrary and there might be need for PL5, but maybe not just yet because of this single rule. These rules are a nuisance, but people using higher PLs should be willing to carry that burden. We could lighten it by adding a proposal for a tuning rule / whitelisting rule / ignore rule in the documentation / comment section above the rule. This could be as simple as:
I'd do the same with 942420 as well. |
Ah, you're right, PL4 is the max currently! I was confused by PL1 being the default. So, PL3 and PL4 are the strongest levels. Then a user probably won't get too confused by false positives. So this choice of levels is acceptable to me! |
Thank you. |
Implemented in pull request 334. |
Pull has been merged. Issue solved. |
As part of the CRS3 paranoia project, we will be discussing possible stricter siblings for some rules.
The first two rules, 'SQL Injection Character Anomaly Usage' 942420/942430 (old ids: 981173/981172), are some of the most controversial rules in CRS2 (in my opinion). They cause a lousy user experience due to very high false positives in many web applications. So we should think carefully what to do with them.
981173 : SQL Injection Character Anomaly Usage
981172 : SQL Injection Character Anomaly Usage
My initial impression: These characters in the regexps in themselves can be normal. But if you're a smart attacker and you tamper a lot, you might be able to do an SQL injection with mostly special characters and few detectable keywords, but you might need a lot of these characters. At the same time, in CRS3 we now have
@detectSQLi
in our toolbox, so we have more diversity in detecting SQLi. So, I'm for keeping these rules in the CRS, but move them a moderately high paranoia level, maybe even PL3.However since these characters are so normal, and a rule hit can happen for benign reasons, I would prefer to keep those rules at 'anomaly' level, because they hit FP so often that they made CRS2 almost unusuable from time to time.
If a higher sibling hits, the lower sibling has also hit by definition (due to our earlier decision to allow multiple sibling rules firing). So that means that if you hit the base rule plus a higher sibling, you get an incoming score of 4 (for 942430) + 4 (for 942431) = 8 which is critical. This means that people running at high PL might actually be troubled more by this rule than a CRS2 user is right now. I think that people would probably not want that, unless the character limit on the sibling is very high. So I think we don't absolutely need stricter siblings for these ones, but if we'd add them, then maybe I’d put the siblings at a very high paranoia level like PL4-5, and give them a pretty high character limit.
As for the character limits, it would be helpful if we would have some test traffic of attacks carried out with only these kinds of characters. I remember reading some examples, so I'm pretty sure it can be done, but I’m not 100% sure if a useful injection can be done within the CRS2 character limits, so there might be a specific reason for them, and using stricter limits MIGHT not help much. It’s a tough call without that information.
Christian said: I tried to reduce the FPs for 942420 and 942430 in pl2. But to no avail. The legitimate traffic simply has a ton of those and raising the limits a bit does not change much (+2 -~> 10% reduction).
The text was updated successfully, but these errors were encountered: