In REQUEST-901 thresholds are set to default if not already set, I know.
Like in
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=5"
But the tresholds are not the issue here: I set *tx.anomaly.score* in my
rules like this:
setvar:tx.anomaly_score=+10,\
and 901200 should re(set) everything to 0:
SecAction \
"id:901200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.anomaly_score=0,\
setvar:tx.sql_injection_score=0,\
setvar:tx.xss_score=0,\
setvar:tx.rfi_score=0,\
setvar:tx.lfi_score=0,\
setvar:tx.rce_score=0,\
setvar:tx.php_injection_score=0,\
setvar:tx.http_violation_score=0,\
setvar:tx.session_fixation_score=0,\
setvar:tx.inbound_anomaly_score=0,\
setvar:tx.outbound_anomaly_score=0,\
setvar:tx.sql_error_match=0"
There are no conditionals like in 901100.
What am I missing?
Ty
Il 04/12/2017 14:47, Christian Folini ha scritto:
Hey Cristian,
No, this works perfectly. Let me tell you why:
The crs-setup.conf does not actually set the threshold. Instead the
REQUEST-901 initialization file sets the threshold to the default value
if it is not set.
You are setting the anomaly score in your rule file in modsecurity, so no
need to set it to the default during the initialization.
This is very close to what I personally favor: Setting it in the server
config and not in an include. That way the threshold is always in plane sight.
Same for paranoia level btw.
Ahoj,
Christian
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
