Hello... Apologies for what is probably a very basic question. I've noticed some rules are marked with severity 2 (critical, by default) but seem to use a different level when doing anomaly scoring -- for example:
SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2.2.1',t:none,block,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'" This rule uses severity:'2' but uses the 'notice' level for anomaly scoring: setvar:tx.policy_score=+%{tx.notice_anomaly_score}. Perhaps the answer to this may simply be that things can and sometimes should be scored differently when doing anomaly scoring -- is that right? It seems a little odd when looking at logs (or AuditConsole) to see things marked 'critical' but that don't get scored that way. Thanks-- -steve _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
