That works for the error log. Thanx. The issue i'm having now is that the audit log is still very chatty. It's still logging all rule matches. Thanx Avi
On 2012-11-15, at 4:23 PM, Ryan Barnett <rbarn...@trustwave.com> wrote: > Understood. You will want to disable rule ID 981203 in the 60 correlation > file - > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_60_correlation.conf > > Add a custom rule file called modsecurity_crs_99_custom.conf and add in - > SecRuleRemoveById 981203 > > -- > Ryan Barnett > Lead Security Researcher > Trustwave - SpiderLabs > > > From: Avi Rosenblatt <a...@greensmoke.net> > Date: Thursday, November 15, 2012 5:38 AM > To: Ryan Barnett <rbarn...@trustwave.com>, > "owasp-modsecurity-core-rule-set@lists.owasp.org" > <owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: Re: [Owasp-modsecurity-core-rule-set] Anomaly Scoring logging > >> Perhaps I should clarify what I'm looking for. >> I would like mod security to be quiet unless the anomaly score threshold is >> met. When met, there should be one line in the apache error log indicating >> such and the audit log should multiple 'Message:'s in the 'H' section >> describing the rules that contributed to the score. >> >> Thanx >> Avi >>
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
