Hi,
I've not had time to test it myself, but this message seemed a bit
annoying and important, so I am surprised there was no "official"
response (from Ryan).
Would it be possible to have some opinions on this potential problem?
Many thanks in advance,
Damien
> In anomaly scoring mode, CRS 2.2.8 no longer blocks based only on
> tx.anomaly_score
> exceeding the tx.inbound_anomaly_score_level.
> Example:
> - This rule worked on some previous CRS version. But, in 2.2.8, it does not
> block based on tx.anomaly_score:
> SecRule REQUEST_URI "^/local/modsec/test$"
> "id:'10999',auditlog,block,msg:'LOCAL: modsec
> test',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}"
> - Appending setvar:'tx.%{rule.id}-local-modsec-test=bad' to the above rule
> "fixes" that:
> SecRule REQUEST_URI "^/local/modsec/test$"
> "id:'10999',auditlog,block,msg:'LOCAL: modsec
> test',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-local-modsec-test=bad'"
> Here was the mod that changed the behavior to
> base_rules/modsecurity_crs_49_inbound_blocking.conf:
> https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/b054a4d92a00812b031facb3f81dd70e728ae8b3
> So, is the fact that CRS 2.2.8 now longer really blocks based only
> on tx.anomaly_score an unintended consequence ?
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
