Hey Cristian, No, this works perfectly. Let me tell you why:
The crs-setup.conf does not actually set the threshold. Instead the REQUEST-901 initialization file sets the threshold to the default value if it is not set. You are setting the anomaly score in your rule file in modsecurity, so no need to set it to the default during the initialization. This is very close to what I personally favor: Setting it in the server config and not in an include. That way the threshold is always in plane sight. Same for paranoia level btw. Ahoj, Christian On Mon, Dec 04, 2017 at 02:21:39PM +0100, Cristian Mammoli wrote: > Hi, I'm using CRS 3.0.2 on ModSec 2.9.2 > > I'm including crs like this: > > [root@waf01 ~]# tail -n 3 /etc/httpd/conf.d/000_mod_security.conf > IncludeOptional /etc/httpd/modsecurity.d/*.conf > IncludeOptional /etc/httpd/crs/crs-setup.conf > IncludeOptional /etc/httpd/crs/rules/*.conf > > I'm using rules in modsecurity.d/ for custom rules and so on > I would expect that setting tx.anomaly_score in a rule file in modsecurity.d > would make no sense, since the var get reset in > crs/rules/REQUEST-901-INITIALIZATION.conf (901200) which gets loaded AFTER > my rules. > > But it somehow works, for example this rule in > modsecurity.d/local_rules.conf > > # Spamhaus XBL (scoring) > SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org" \ > "msg:'Client IP in xbl.spamhaus.org.',\ > severity:'CRITICAL',\ > id:10003,\ > phase:request,\ > pass,\ > t:none,\ > tag:'application-multi',\ > tag:'language-multi',\ > tag:'platform-multi',\ > tag:'attack-reputation-ip',\ > setvar:'tx.msg=%{rule.msg}',\ > setvar:tx.anomaly_score=+10,\ > setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var} > > The additional 10 points get counted in the final TX:inbound_anomaly_score > and causes the request to be rejected. > > This is _exactly_ what I want :) But as far as I understand it shouldn't > work or I don't get in which order the rules are included and evaluated > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set