Reference and Tag with CAPEC IDs consistently

[dune73]

CAPEC: Common Attack Pattern Enumeration and Classification (https://capec.mitre.org/)

We have a few rules with CAPEC tags and links to CAPEC descriptions in their comments. But so far this, has not been done in a consistent way. A systematic approach is necessary. It would also be the base for consistent attack statistics.

Part of the task is a discussion if we want to abandon the incomplete OWASP tags - or not.

[dune73]

This topics has been discussed in #924 and in a chat as well.

Copying over the summary of the discussion:

We talked about this for a great length during the chat. Here are the important bits:

• The tagging used in CRS is not systematic. We would like to streamline it.
• Tags eat up space in the alert message and can be cut when the alert message is made to fit the Apache error.log line length. The less tags, the better. Everybody agreed on this.
• Many rules use WASC taxonomy, but that's probably dead.
• CVE might be fun, but the way the users and the project works and how CVEs hit the news, we'll always be late.
• CAPEC are an alternative to CWE that should be examined. It feels like CAPEC is the better option.
• We expect this to be very cumbersome work - and it's only worth it, when it is done completely covering all the rules.
• If we would be able to write the tags with the alerts, very interesting statistics could generated that would be of interest to a wider community far beyond ours.

What is CAPEC and what is the relationship to CWE?
https://cwe.mitre.org/about/faq.html#A.7 has the following to say: "While CWE is a list of software weakness types, Common Attack Pattern Enumeration and Classification (CAPEC™) is a list of the most common methods attackers use to exploit vulnerabilities resulting from CWEs. Used together, CWE and CAPEC provide understanding and guidance to software development personnel of all levels as to where and how their software is likely to be attacked, thereby equipping them with the information they need to help them build more secure software."

It is thus that CAPEC is more attack oriented and thus closer to our rules and their categories.

CAPEC Intro

[csanders-git]

We shall also go through and note the changes to OWASP top 10 tags

[fzipi]

Will try to get this done, based on what we discussed in the summit.

[dune73]

That would be huge, Felipe!

[fzipi]

Yesterday I had a meeting with one potential student. He will begin playing with msc_pyparser to get a document with all tags per rule.

Officially he may start by the end of November. We'll see.

[dune73]

This sounds very good. Is there anything we should do to make this work?

Also: Would this be a moment, where we get in touch with any OWASP projects that might profit from this / might be interested in our data? (First task: Find out which OWASP project might qualify).