CRS has a set of rules for SQL Data Leakages, and I want to maintain them, but want to change it's severity from CRITICAL to NOTICE, so one match won't instantly block a request.
I can't change the outbout anomaly score limit, since all the other rules work efficiently with the current score.
Note that the 95* rules in CRS are all chained rules.
I tried updating the severity using SecRuleUpdateActionById, but it didn't work.
SecRuleUpdateActionById 951110 "severity:'NOTICE'"
Now, this is the example rule above:
SecRule TX:sql_error_match "@eq 1"
"id:951110,
phase:4,
block,
capture,
t:none,
msg:'Microsoft Access SQL Information Leakage',
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',
tag:'application-multi',
tag:'language-multi',
tag:'platform-msaccess',
tag:'attack-disclosure',
tag:'paranoia-level/1',
tag:'OWASP_CRS',
tag:'capec/1000/118/116/54',
ctl:auditLogParts=+E,
ver:'OWASP_CRS/3.3.0',
severity:'CRITICAL',
chain"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])"
"capture,
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
It seems I need to update both the severity level (which didn't change with my commented ruling), and also the setvar actions that exist in the chained rule.
Any ideas on how to do that?
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
