Re: [Owasp-modsecurity-core-rule-set] Setting tx.anomaly_score before including crs-setup.conf somehow works, should it?

Mon, 04 Dec 2017 05:48:19 -0800 

Hey Cristian,

No, this works perfectly. Let me tell you why:

The crs-setup.conf does not actually set the threshold. Instead the
REQUEST-901 initialization file sets the threshold to the default value
if it is not set.

You are setting the anomaly score in your rule file in modsecurity, so no
need to set it to the default during the initialization.

This is very close to what I personally favor: Setting it in the server
config and not in an include. That way the threshold is always in plane sight.
Same for paranoia level btw.

Ahoj,

Christian


On Mon, Dec 04, 2017 at 02:21:39PM +0100, Cristian Mammoli wrote:
> Hi, I'm using CRS 3.0.2 on ModSec 2.9.2
> 
> I'm including crs like this:
> 
> [root@waf01 ~]# tail -n 3 /etc/httpd/conf.d/000_mod_security.conf
> IncludeOptional /etc/httpd/modsecurity.d/*.conf
> IncludeOptional /etc/httpd/crs/crs-setup.conf
> IncludeOptional /etc/httpd/crs/rules/*.conf
> 
> I'm using rules in modsecurity.d/ for custom rules and so on
> I would expect that setting tx.anomaly_score in a rule file in modsecurity.d
> would make no sense, since the var get reset in
> crs/rules/REQUEST-901-INITIALIZATION.conf (901200) which gets loaded AFTER
> my rules.
> 
> But it somehow works, for example this rule in
> modsecurity.d/local_rules.conf
> 
> # Spamhaus XBL (scoring)
> SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org" \
>   "msg:'Client IP in xbl.spamhaus.org.',\
>   severity:'CRITICAL',\
>   id:10003,\
>   phase:request,\
>   pass,\
>   t:none,\
>   tag:'application-multi',\
>   tag:'language-multi',\
>   tag:'platform-multi',\
>   tag:'attack-reputation-ip',\
>   setvar:'tx.msg=%{rule.msg}',\
>   setvar:tx.anomaly_score=+10,\
> setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}
> 
> The additional 10 points get counted in the final TX:inbound_anomaly_score
> and causes the request to be rejected.
> 
> This is _exactly_ what I want :) But as far as I understand it shouldn't
> work or I don't get in which order the rules are included and evaluated
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to