OWASP CRS Request
Overview
The OWASP CRS Request Traffic Policy action enables OWASP (Open Worldwide Application Security Project) CRS (previously Core Rule Set), a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. It aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc.
The owasp-crs-request
action only enables rule processing on incoming HTTP requests to your
endpoint. In addition to this action, we also recommend you enable the OWASP CRS Response
action to analyze outgoing HTTP responses from your endpoint.
Configuration Reference
This is the Traffic Policy configuration reference for this action.
Supported Phases
on_http_request
Type
owasp-crs-request
Configuration Fields
on_errorstringRequired
Behavior if there is an error. Must be one of either "continue" or "halt" (default "halt")
More information can be found in the Managing Fallback Behavior section.
process_bodybool
If false, we do not process rules for the request body. Default is false.
Behavior
This action evaluates rules for request headers and body (when process_body
is enabled), and each matching rule adds to the overall score of a request. If the score exceeds the set score threshold, the action will block the request.
The tallying process is called Anomaly Scoring, and is detailed on the CRS website.
Default Behavior
The default behavior for this action is based on the following Coraza directives and rules from v4.14.0 of the CRS:
Included in these rules is an inbound anomaly score threshold of 5 and a paranoia level of 1.
Body Processing
When process_body
is enabled, bodies will be partially processed and evaluated for their first 128KiB. The rest of the body will not be processed and will be ignored.
Managing Fallback Behavior (on_error
)
If on_error
is set to halt
(default) and the action encounters an error when forwarding traffic, the Traffic Policy chain will halt and no further actions will be executed. For example, if you have a log
action after the owasp-crs-request
action, the log
action will not be run and the error will be returned.
However, if on_error
is set to continue
, actions that appear after the owasp-crs-request
action will still be executed even if the owasp-crs-request
action encounters an error.
Inbound Anomaly Score Threshold Exceeded
If the anomaly score accumulated from matching rules exceeds the threshold, ngrok blocks the request with a HTTP 403
response. The request does not make it to your upstream.
Failure to process the body correctly
If ngrok is unable to read the request body correctly, ngrok blocks the request with a HTTP 500
response. The request does not make it to your upstream.
Examples
Running in block mode
The following configuration demonstrates how to run the owasp-crs-request
action in block mode.
Example Traffic Policy Document
Loading…
Running in test mode
The following configuration demonstrates how to run the owasp-crs-request
action in test mode where rules are evaluated but blocks are not enforced.
Example Traffic Policy Document
Loading…
Example request that ngrok would block
In this example, we attempt to connect to example.ngrok.app
using the
curl
command, and ngrok blocks the request returning back ERR_NGROK_3700
Loading…
Loading…
Action Result Variables
The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.
actions.ngrok.owasp_crs_request.decisionstring
The action taken for this request.
- Possible values
allow
- If the request was permitted.deny
- If the request was denied.
actions.ngrok.owasp_crs_request.anomaly_scoreint
The total anomaly score for the request. If it equals to or exceeds the set threshold, it will block the request.
actions.ngrok.owasp_crs_request.anomaly_score_thresholdint
The total anomaly score threshold for the request. By default, it is set to 5.
actions.ngrok.owasp_crs_request.matched_rulesarray of objects
The list of all rules matched by this request that have a non-zero score.
actions.ngrok.owasp_crs_request.error.codestring
A machine-readable code describing an error that occurred during the action's execution.
actions.ngrok.owasp_crs_request.error.messagestring
A human-readable message providing details about an error that occurred during the action's execution.