Understood. You will want to disable rule ID 981203 in the 60 correlation file - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_60_correlation.conf
Add a custom rule file called modsecurity_crs_99_custom.conf and add in - SecRuleRemoveById 981203 -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs From: Avi Rosenblatt <a...@greensmoke.net<mailto:a...@greensmoke.net>> Date: Thursday, November 15, 2012 5:38 AM To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Anomaly Scoring logging Perhaps I should clarify what I'm looking for. I would like mod security to be quiet unless the anomaly score threshold is met. When met, there should be one line in the apache error log indicating such and the audit log should multiple 'Message:'s in the 'H' section describing the rules that contributed to the score. Thanx Avi On 2012-11-14, at 8:38 PM, Avi Rosenblatt <a...@greensmoke.net<mailto:a...@greensmoke.net>> wrote: Thanx for the response. I used that blog post as a guide and set SecDefaultAction to "phase:2,pass,nolog,auditlog" but I still get apache log messages for rule matches even though their score is below the threshold. By the way I am using v2.2.5 of the owasp CSR. Thanx Avi On 2012-11-14, at 7:09 PM, Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> wrote: Please refer to this blog post - http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-v s-anomaly-scoring-detection-modes.html Specifically the section on "Alert Management - Correlated Events". -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On 11/14/12 9:41 AM, "Avi Rosenblatt" <a...@greensmoke.net<mailto:a...@greensmoke.net>> wrote: Hi, I have configured the CRS to use anomaly scoring and raised the inbound score level in order to reduce false positives. I'm currently running our server in detectiononly mode and I'm getting error log and audit log messages for any rule match regardless of score. Is there a way to only log messages when a threshold has been reached. Thanx in advance for the help. Avi _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
