Re: [Owasp-modsecurity-core-rule-set] Facebook scrape problem

Wed, 18 May 2016 00:50:36 -0700 

Hi Noël,

thank you for the help

Christian suggested:

"I suggest you run in blocking mode with anomaly scoring on and
a high anomaly limit (-> 1K or more)."

Do I chance the inbound and outbound values to 1k+?


I have also set in "modsecurity_crs_10_setup.conf" :

(deny to delayed blocking)
66 SecDefaultAction "phase:1,delayed blocking,log"
67 SecDefaultAction "phase:2,delayed blocking,log"

and uncommented:

152 SecAction \
       "id:'900004', \
        phase:1, \
        t:none, \
        setvar:tx.anomaly_score_blocking=on, \
        nolog, \
        pass"


Am I doing this right?

Kenneth

On Wed, May 18, 2016 at 2:49 PM, Noël Zindel <m...@noelzindel.org> wrote:

>
> > On 18 May 2016, at 05:05, T. Kenneth Lojo (IRRI) <t.l...@irri.org>
> wrote:
> >
> > Where do I set the anomaly limit?
>
> "modsecurity_crs_10_setup.conf" handles anomaly limit by default. Look out
> for rule ID 900003 with variables "tx.inbound_anomaly_score_level=5” and
> "tx.outbound_anomaly_score_level=4”.
>
> The actual blocking is done by “modsecurity_crs_49_inbound_blocking.conf"
> and “modsecurity_crs_59_outbound_blocking.conf” respectively.
>
> Cheers,
> Noël
>



-- 
*T. Kenneth S. Lojo*
Specialist-Online Media Design
[image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744
+63 928 209 1191 (mobile)
t.l...@irri.org <g.lav...@irri.org>
www.irri.org
[image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter]
<http://twitter.com/RiceResearch> [image: Flickr]
<http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube]
<http://www.youtube.com/user/irrivideo/featured> [image: Scribd]
<http://www.scribd.com/IRRI_resources> [image: Linkedin]
<http://www.linkedin.com/company/international-rice-research-institute> [image:
Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+]
<https://plus.google.com/103972671963502739315>

The International Rice Research Institute <http://irri.org> is a member of
the CGIAR <http://www.cgiar.org/>

-- 
The International Rice Research Institute <http://irri.org> is a member of 
the CGIAR <http://cgiar.org> consortium

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to