I have this problem as well. I also have:
SecDefaultAction "phase:1,pass,nolog,auditlog"
SecDefaultAction "phase:2,pass,nolog,auditlog"
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
Could that be relevent? How should these be set in collaborative detection
mode?
Earl
-
On Wed, 20 Aug 2014, Josh Amishav-Zlatin <jam...@owasp.org> wrote:
On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render <wren...@otherdata.com> wrote:
Would anyone know if it would be possible to adjust the core rule set
configuration file so that only events that have a total inbound score of
5 or higher are sent to the audit log. (Running in Collaborative
Detection and Anomaly Scoring & Blocking) Version: SecComponentSignature
"OWASP_CRS/2.2.9"
Hi Wesley,
When the CRS is used in anomaly mode it should not create audit logs unless the
event
passes the threshold set in the 10 file. Can you send me privately an event from
AuditConsole that does not have an anomaly score level above 5? I'm specifically
interested in sections H and K.
- Josh
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
