Re: [Owasp-modsecurity-core-rule-set] Anomaly scoring mode no longer blocks only on anomaly_score in CRS 2.2.8 ?

Thu, 08 Aug 2013 11:36:45 -0700 

Ah ok - my bad. Guess I didn't understand your original post properly :-(

So what I (now) think you saying is "some of the rules in
modsecurity_crs_41_sql_injection_attacks.conf will no longer work with
anomaly scoring blocking, as they don't include
"setvar:tx.%{rule.id}-SOMETHING". I had a look and see that if you
search for "setvar:'tx.%{tx.msg}-", you will get 22 hits. My guess is
that you are trying to say that these be changed to become
"setvar:'tx.%{tx.id}-"

Does that sum up what you are trying to say? That still doesn't add up
to me. The highlighted change only really altered the regex used -
moving from a number to a number terminated by a space. This won't
cause the issue you describe. I guess you are saying that since the
last time you coded your rule, this has changed, and this is the last
change on that file? The initial version of the file on 14th Sep 2012
had the line "SecRule TX:/^\d/ "(.*)"" which would still require
"setvar:tx.%{rule.id}-SOMETHING". I guess you need to explain what
your concern really is - well at least to me. Perhaps everyone else
understands already - sorry for been slow

Thanks

Chris

On Thu, Aug 8, 2013 at 2:44 PM,  <rp-modsec-crs-l...@bev.net> wrote:
> I posted the orignal question. But, let me add some clarification.
> Almost all of the stock CRS rules will block in anomaly scoring mode as-is.
> But, there are couple in the SQLi rules (I think) that might not (don't
> have those handy).
>
> The other words, if you doing nothing but straight CRS with no local or
> third
> party rules, no problems.
>
> The issue is that local (or possibly non-CRS third party) rules you've added
> (on top of CRS) with scoring will need more than just the score now. You
> must
> also have a "setvar:tx.%{rule.id}-SOMETHING" (the need for a dash is what
> effectively got changed).
>
> -RP
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to