I'm quite sure the phase is the issue. I run the log with Debug 9, just
pasted here a "cleaned up" version. Setting the phase to 1 in my custom
rules causes the anomaly score to reset in REQUEST-901-INITIALIZATION.conf
I'll investigate further
Il 05/12/2017 11:10, Christian Folini ha scritto:
Cristian,
You are getting there. Yet the DebugLogLevel is still not high enough.
Put it to 9and then you grep for the threshold variable in the logfile.
This will allow you to see which rule sets the threshold and in what order.
It is possible it's a phase issue. But when I looked over it in
Hi,
On Mon, Dec 04, 2017 at 04:07:00PM +0100, Cristian Mammoli wrote:
> In REQUEST-901 thresholds are set to default if not already set, I know.
Sorry, I jumped to conclusions too quickly then.
> There are no conditionals like in 901100.
>
> What am I missing?
The problem sounds as if you
In REQUEST-901 thresholds are set to default if not already set, I know.
Like in
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule :inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
Hey Cristian,
No, this works perfectly. Let me tell you why:
The crs-setup.conf does not actually set the threshold. Instead the
REQUEST-901 initialization file sets the threshold to the default value
if it is not set.
You are setting the anomaly score in your rule file in modsecurity, so no
