Hello,
I would be most grateful for advice on correctly using the TX:ANOMALY_SCORE in
the final modsecurity_crs_49_inbound_blocking.conf &
modsecurity_crs_59_outbound_blocking.conf
My goal would be to arrive at something where at the end of all the rule
evaluations, I could use different disruptive actions depending on the anomaly
score.
Such that requests with a moderate anomaly would be simply blocked, but those
with a high anomaly score would blacklist the source IP.
In modsecurity_crs_10_config.conf, I have:
SecAction "phase:1,t:none,nolog,pass, \
setvar:tx.critical_anomaly_score=20, \
setvar:tx.error_anomaly_score=15, \
setvar:tx.warning_anomaly_score=10, \
setvar:tx.notice_anomaly_score=5"
These appear to be the amounts that the anomaly score is increased in the
different rules, but there doesn't otherwise seem to be anything that
differentiates the disruptive action in function of these scores.
Would it be correct if I added something like:
SecRule TX:ANOMALY_SCORE "@gt 30"
"log,drop,skip:1,exec:/sbin/blacklist_web,msg:'blacklisting (Total Score:
%{TX.ANOMALY_SCORE})'"
SecRule TX:ANOMALY_SCORE "@gt 10" "log,block,msg:'blocking (Total Score:
%{TX.ANOMALY_SCORE})'"
Many thanks in advance!
Robert
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
