Hi, I'm using crs 3 in "anomaly score mode" and I would like to add a
couple of custom rules to "lower" the anomaly score before the final
evaliuation
For example I would like to reduce the anomaly score by 2 if the origin
country is my own (Italy) or if the origin IP is from some ip address block
Actually I'm including the following file in my "master" modsecurity
config file:
IncludeOptional /etc/httpd/modsecurity.d/*.conf
IncludeOptional /etc/httpd/crs/crs-setup.conf
IncludeOptional /etc/httpd/crs/rules/*.conf
For example I created the following rule:
SecAction \
"id:10009,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.low_risk_country_codes=IT'"
SecRule TX:LOW_RISK_COUNTRY_CODES "!^$" \
"msg:'Client IP is from a LOW Risk Country Location.',\
id:10010,\
severity:'INFO',\
nolog,\
phase:request,\
pass,\
t:none,\
chain"
SecRule TX:REAL_IP "@geoLookup" \
"chain"
SecRule GEO:COUNTRY_CODE "@within %{tx.low_risk_country_codes}" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=-%{tx.notice_anomaly_score}
But where do I put it to have it processed before the final score is
analyzed for rejection?
Thanks
--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
