ModSecurity CRS Rule Description Template

- This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to    the OWASP ModSecurity Core Rule Set (CRS) Project. - Project participants are encouraged to copy this template and create landing pages for each CRS rule - Use this template and create a new page using the following format - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX (where XXXXX is the CRS ruleID)

Rule ID: XXXXX
Detailed Rule Information  Provide detailed information about the rule construction such as: A description of the regular expression used - what is is looking for in plain english (Example RegEx analysis from Expresso tool) Example Payload  Provide an example payload that will trigger this rule.
 * Why the variable list specified was used
 * What actions are used and why

Example Apache log entry or HTTP payload captured by another tool Example Audit Log Entry  Include an example ModSecurity Audit Log Entry for when this rule matchs. Audit Log Entry Attack Scenarios  Provide any data around "how" the attack is carried out. Ease of Attack  How easy is it for an attacker to carry out the attack? Ease of Detection  How easy is it for a defender to use ModSecurity to accurately detect this attack? False Positives  If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives

Send FP Report emails here: mod-security-report-false-positiveslists.sourceforge.net False Negatives  Are there any know issues with evasions or how an attacker might bypass detection? <td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Maturity <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > 10 point scale (0-9) where: 0 = Beta/Experimental 9 = Heavily Tested <td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > 10 point scale (0-9) where: 0 = High % of FP 5 = No false positives reported <td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s) <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > Specify your name and email if you want credit for the rule or documentation of it. Example: Ryan Barnett - ryan.barnettowasp.org <td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page).