Hey Cristian, On Mon, Jul 17, 2017 at 12:29:16PM +0200, Cristian Mammoli wrote: > Hi, I'm using crs 3 in "anomaly score mode" and I would like to add a couple > of custom rules to "lower" the anomaly score before the final evaliuation
Makes sense. I thought about such scenarios as well, but I never really tried it in practice. > But where do I put it to have it processed before the final score is > analyzed for rejection? So the incoming score is evaluated in rule 949110 towards the end of phase 2. Squeezing a rule after 948xxx and before 949110 is quite difficult without changing the rule file(s). I see two approaches: - You remove rule 949110 on startup and re-create it yourself at the end of phase 2 together with your custom rules. Notice that there is report rule in the 98xxxx range that you might have to handle as well or it will mess up your log file with garbage reports based on the wrong scores. - You do not lower the score before 949110 hits, but you start with -2 instead of 0 in a rule that runs after crs-setup.conf but before the rules files. However, I am not really sure ModSec allows for negative numbers. I am sure other methods are possible that these are the two I would probably try out. Cheers, Christian -- Und es gehen die Menschen zu bestaunen die Gipfel der Berge und die ungeheuren Fluten des Meeres und die weit dahinfliessenden Ströme und den Saum des Ozeans und die Kreisbahnen der Gestirne und haben nicht acht ihrer selbst. --- Augustinus (354-430) _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
