Re: [Owasp-modsecurity-core-rule-set] Anomaly scoring mode no longer blocks only on anomaly_score in CRS 2.2.8 ?

Wed, 07 Aug 2013 20:23:32 -0700 

FYI I am on vacation and will respond next week. Hopefully someone else can 
offer advice in my stead. 

--
Ryan Barnett
Lead Security Researcher
Trustwave - SpiderLabs

On Aug 7, 2013, at 11:32 AM, Damien Wyart <damien.wy...@gmail.com> wrote:

> Hi,
> 
> I've not had time to test it myself, but this message seemed a bit
> annoying and important, so I am surprised there was no "official"
> response (from Ryan).
> 
> Would it be possible to have some opinions on this potential problem?
> 
> Many thanks in advance,
> 
> Damien
> 
>> In anomaly scoring mode, CRS 2.2.8 no longer blocks based only on 
>> tx.anomaly_score
>> exceeding the tx.inbound_anomaly_score_level.
> 
>> Example:
> 
>> - This rule worked on some previous CRS version. But, in 2.2.8, it does not 
>> block based on tx.anomaly_score:
>> SecRule REQUEST_URI "^/local/modsec/test$" 
>> "id:'10999',auditlog,block,msg:'LOCAL: modsec 
>> test',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}"
> 
>> - Appending setvar:'tx.%{rule.id}-local-modsec-test=bad' to the above rule 
>> "fixes" that:
>> SecRule REQUEST_URI "^/local/modsec/test$" 
>> "id:'10999',auditlog,block,msg:'LOCAL: modsec 
>> test',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-local-modsec-test=bad'"
> 
> 
>> Here was the mod that changed the behavior to 
>> base_rules/modsecurity_crs_49_inbound_blocking.conf:
>> https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/b054a4d92a00812b031facb3f81dd70e728ae8b3
> 
>> So, is the fact that CRS 2.2.8 now longer really blocks based only
>> on tx.anomaly_score an unintended consequence ?
> 
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to