Hi, I'm using CRS 3.0.2 on ModSec 2.9.2
I'm including crs like this:
[root@waf01 ~]# tail -n 3 /etc/httpd/conf.d/000_mod_security.conf
IncludeOptional /etc/httpd/modsecurity.d/*.conf
IncludeOptional /etc/httpd/crs/crs-setup.conf
IncludeOptional /etc/httpd/crs/rules/*.conf
I'm using rules in modsecurity.d/ for custom rules and so on
I would expect that setting tx.anomaly_score in a rule file in
modsecurity.d would make no sense, since the var get reset in
crs/rules/REQUEST-901-INITIALIZATION.conf (901200) which gets loaded
AFTER my rules.
But it somehow works, for example this rule in
modsecurity.d/local_rules.conf
# Spamhaus XBL (scoring)
SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org" \
"msg:'Client IP in xbl.spamhaus.org.',\
severity:'CRITICAL',\
id:10003,\
phase:request,\
pass,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+10,\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}
The additional 10 points get counted in the final
TX:inbound_anomaly_score and causes the request to be rejected.
This is _exactly_ what I want :) But as far as I understand it shouldn't
work or I don't get in which order the rules are included and evaluated
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
