I have this problem as well. I also have: SecDefaultAction "phase:1,pass,nolog,auditlog" SecDefaultAction "phase:2,pass,nolog,auditlog" SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))"
Could that be relevent? How should these be set in collaborative detection mode?
Earl - On Wed, 20 Aug 2014, Josh Amishav-Zlatin <jam...@owasp.org> wrote:
On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render <wren...@otherdata.com> wrote: Would anyone know if it would be possible to adjust the core rule set configuration file so that only events that have a total inbound score of 5 or higher are sent to the audit log. (Running in Collaborative Detection and Anomaly Scoring & Blocking) Version: SecComponentSignature "OWASP_CRS/2.2.9" Hi Wesley, When the CRS is used in anomaly mode it should not create audit logs unless the event passes the threshold set in the 10 file. Can you send me privately an event from AuditConsole that does not have an anomaly score level above 5? I'm specifically interested in sections H and K. - Josh
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set