[Owasp-modsecurity-core-rule-set] Anomaly scoring mode no longer blocks only on anomaly_score in CRS 2.2.8 ?

rp-modsec-crs-list Tue, 23 Jul 2013 08:53:59 -0700


In anomaly scoring mode, CRS 2.2.8 no longer blocks based only on 
tx.anomaly_score
exceeding the tx.inbound_anomaly_score_level.


Example:

- This rule worked on some previous CRS version. But, in 2.2.8, it does not 
block based on tx.anomaly_score:
SecRule REQUEST_URI "^/local/modsec/test$" "id:'10999',auditlog,block,msg:'LOCAL: 
modsec test',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}"

- Appending setvar:'tx.%{rule.id}-local-modsec-test=bad' to the above rule 
"fixes" that:
SecRule REQUEST_URI "^/local/modsec/test$" "id:'10999',auditlog,block,msg:'LOCAL: 
modsec 
test',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-local-modsec-test=bad'"


Here was the mod that changed the behavior to 
base_rules/modsecurity_crs_49_inbound_blocking.conf:
https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/b054a4d92a00812b031facb3f81dd70e728ae8b3

So, is the fact that CRS 2.2.8 now longer really blocks based only ontx.anomaly_score an unintended consequence ?


-RP
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

[Owasp-modsecurity-core-rule-set] Anomaly scoring mode no longer blocks only on anomaly_score in CRS 2.2.8 ?

Reply via email to