Improve invalid character rule (960901/920270) #323
Comments
One thing I do not understand with this rule is, why Request-Header Referer is excluded. This allows the Referer to carry null characters. The standard rule restricts to ascii 1-255. The 2.2.X rules carry an optional rule, which does 32-126 and includes REQUEST_BODY. Paranoia Mode gives us more options. Here is my proposal:
So, PL1 remains the same, old optional rule moves to PL3. PL2 and PL4 are new variants. Outside of this, I am inclined to remove the exclusion for Referer on PL1/2/3. And I plan to add REQUEST_BODY to PL3 and PL4. |
Ran some tests. For 920273, I had to disable all the Request-Headers or FPs would skyrocket. Then I added - _ = & to reduce the remaining FPs. This brings us to the following stats based on a sample of 8K legitimate requests and 24K attacking request.
I see two issues with this. There are not enough real positives on PL3 and still too many false positives in PL4. |
Must we alter the rules for every single paranoia level then? Would it significantly limit PM in its purpose if we did something like this?
This is just an example; not further interfering on PL4 but also not providing significant improvements on security from PL3. I think one divergent rule - in terms of FP's, like 920273 - across a certain PL could really throw off the whole concept since no one would ever run that level. |
@zinoe A bit of tinkering seems worthwhile if we can improve the stats. In fact two adjustments did the trick for me: PL3: Exclude %. This does not affect the reaction on my legitimate test traffic much, but it raises the real positives on the attack traffic significantly. And for PL4: Allow , . : This brings us to:
My new stats:
I think this is close to a sweet spot. PL4 brings a lot of false positives, but I assume users accept that when running in PL4. The other positive numbers look good to me: The attacks are substantially more affected. Where I am unsure is the exclusion of REQUEST_HEADERS from the strict charset of PL4. And finally: All these rules give a score of 4. I wonder if we do not want to raise this to 5. The stats make this useful in my eyes. The proposed rule 920273 is so strict, I can not see how an attack could be possible (ruling out extremely stupid applications of course) with 920273. Setting an anomaly limit of 5 would then block with 920973. |
Fair enough. The stats definitely talk for them selfs. Thanks for the detailed approach - well done. |
Hold on. This is still in my queue. I just wanted to have the DDoS stuff merged before I continue to work on a 2nd controversial PR. I have made a bit progress since April though, and my plan is to have it ready for RC1. The REQUEST_HEADERS make this really quite difficult, but I would really like to include them as well. Thoughts on raising the score to 5? I means it's an invalid character. Invalid characters should be blocked. |
I'll review the DOS stuff today. I think the score at 5 makes sense as this is specified in the RFC. "
" |
Thank you. Probably one of the reasons > 127 is never seen. :) This means that the ranges for the various PLs will need to be adjusted. |
I tried to stick with the lower ASCII range, but this gives an impressive amount of FPs. I think the high range is used in request bodies. So I am only restricting it in higher PLs. |
See PR #435. |
Has been merged. Thus closing. |
As part of the CRS3 paranoia project, we will be discussing possible stricter siblings for some rules. The goal of this series of issues is to discuss the exact details.
This issue brings up rule 960901 (2.2.x) / 920270 (3.0.0-rc1). Information on the proposed changes can be found here.
Please add your thoughts, proposals or concerns in the comment section.
The text was updated successfully, but these errors were encountered: