[Owasp-modsecurity-core-rule-set] anomaly score range

Gil Vidals gvidals at vmracks.com
Tue Aug 11 06:40:43 EDT 2009


I just installed the latest core rules and I see this anomaly score:

    SecRule TX:ANOMALY_SCORE "@ge 20" \

What is the range of the anomaly scores? Does it go from 0 to 100?

I need help in understanding the score and what to set it to. Currently I
have it set to 10.

The only documenation I could find so far is:
# Uncomment the anomaly sections you wish to use.
# You should set the score to the proper threshold you would prefer. If kept
at "@gt 0"
# it will work similarly to previous Mod CRS rules and will create an event
in the error_log
# file if there are any rules that match.  If you would like to lessen the
number of events
# generated in the error_log file, you should increase the anomaly score
threshold to
# something like "@gt 20".  This would only generate an event in the
error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity
item matches.
#
# You should also set the desired disruptive action (deny, redirect,
etc...).


--Gil




Gil Vidals / President
gvidals at vmracks.com
vmracks.com <http://www.vmracks.com> - ESX Hosting
t. 760.480.4942 f. 760.480.8271
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090811/6f968ed3/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list