You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 14, 2020. It is now read-only.
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+75-3Lines changed: 75 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -73,7 +73,79 @@ please adhere to the following contributing guidelines.
73
73
skipAfter
74
74
```
75
75
76
-
FIXME:
76
+
## Variables naming conventions
77
+
78
+
* Variable names are lowercase using chars from `[a-z0-9_]`
79
+
* To somewhat reflect the fact that the syntax for variable usage is different when you define it (using setvar) and when you use it, we propose the following visual distinction:
80
+
* Lowercase letters for collection, dot as separator, variable name. E.g: `setvar:tx.foo_bar_variable`
81
+
* Capital letters for collection, colon as separator, variable name. E.g: `SecRule TX:foo_bar_variable`
82
+
83
+
## Rules compliance with each Paranoia Level (PL)
84
+
85
+
Rules in the CRS are organized in Paranoia Levels, which allows you to choose the desired level of rule checks.
86
+
87
+
Please read file ```crs-setup.conf.example``` for introduction and a more detailed explanation of Paranoia Levels in the section `# -- [[ Paranoia Level Initialization ]]`.
88
+
89
+
**PL0:**
90
+
91
+
* Modsec installed, but almost no rules
92
+
93
+
**PL1:**
94
+
95
+
* Default level, keep in mind that most installations will normally use this one.
96
+
* If there is a complex memory consuming/evaluation rule it surely will be on upper levels, not this one
97
+
* Normally we will use atomic checks in single rules
98
+
* Confirmed matches only, all scores are allowed
99
+
* No false positives / Low FP (Try to avoid adding rules with potential false positives!)
100
+
* False negatives could happen
101
+
102
+
**PL2:**
103
+
104
+
* Chains usage are OK
105
+
* Confirmed matches use score critical
106
+
* Matches that cause false positives are limited to use score notice or warning
107
+
* Low False positive rates
108
+
* False negatives are not desirable
109
+
110
+
**PL3:**
111
+
112
+
* Chains usage with complex regex look arounds and macro expansions
113
+
* Confirmed matches use score warning or critical
114
+
* Matches that cause false positives are limited to use score notice
115
+
* False positive rates increased but limited to multiple matches (not single string)
116
+
* False negatives should be a very unlikely accident
117
+
118
+
**PL4:**
119
+
120
+
* Every item is inspected
121
+
* Variable creations allowed to avoid engine limitations
122
+
* Confirmed matches use score notice, warning or critical
123
+
* Matches that cause false positives are limited to use score notice and warning
124
+
* False positive rates increased (even on single string)
125
+
* False negatives should not happen here
126
+
* Check everything against RFC and white listed values for most popular elements
127
+
128
+
129
+
## ID Numbering Scheme
130
+
131
+
The CRS project used the numerical id rule namespace from 900,000 to 999,999 for the CRS rules as well as 9,000,000 to 9,999,999 for default CRS rule exclusion packages.
132
+
133
+
Rules applying to the incoming request use the id range 900,000 to 949,999.
134
+
Rules applying to the outgoing response use the id range 950,000 to 999,999.
135
+
136
+
The rules are grouped by vulnerability class they address (SQLi, RCE, etc.) or functionality (initialization). These groups occupy blocks of thousands (e.g. SQLi: 942,000 - 942,999).
137
+
The grouped rules are defined in files dedicated to a single group or functionality. The filename takes up the first three digits of the rule ids defined within the file (e.g. SQLi: REQUEST-942-APPLICATION-ATTACK-SQLI.conf).
138
+
139
+
The individual rule files for the vulnerability classes are organized by the paranoia level of the rules. PL 1 is first, then PL 2 etc.
140
+
141
+
The block from 9XX000 - 9XX099 is reserved for use by CRS helper functionality. There are no blocking or filtering rules in this block.
142
+
143
+
Among the rules serving a CRS helper functionality are rules that skip rules depending on the paranoia level. These rules always use the following reserved rule ids: 9XX011-9XX018 with very few exceptions.
144
+
145
+
The blocking or filter rules start with 9XX100 with a step width of 10. E.g. 9XX100, 9XX110, 9XX120 etc. The rule id does not correspond directly with the paranoia level of a rule. Given the size of a rule group and the organization by lower PL rules first, PL2 and above tend to have rule IDs with higher numbers.
146
+
147
+
Within a rule file / block, there are sometimes smaller groups of rules that belong to together. They are closely linked and very often represent copies of the original rules with a stricter limit (alternatively, they can represent the same rule addressing a different target in a second rule where this was necessary). These are stricter siblings of the base rule. Stricter siblings usually share the first five digits of the rule ID and raise the rule ID by one. E.g. Base rule at 9XX160, stricter sibling at 9XX161.
148
+
149
+
Stricter siblings often have a different paranoia level. This means that the base rule and the stricter sibling do not reside next to one another in the rule file. Instead they are ordered in their appropriate paranoia level and can be linked via the first digits of the rule id. It is a good practice to introduce stricter siblings together with the base rule in the comments of the base rule and to reference the base rule with the keyword stricter sibling in the comments of the stricter sibling. E.g. "... This is
150
+
performed in two separate stricter siblings of this rule: 9XXXX1 and 9XXXX2", "This is a stricter sibling of rule 9XXXX0."
0 commit comments