[Owasp-modsecurity-core-rule-set] New CRS v2.0.9 Released in SVN

George Notaras gnot at g-loaded.eu
Fri Oct 29 15:56:12 EDT 2010


On 29/10/2010 22:40, Ryan Barnett wrote:
> On 10/29/10 3:37 PM, "Ryan Barnett" <RBarnett at trustwave.com> wrote:
> 
>> On 10/29/10 3:28 PM, "George Notaras" <gnot at g-loaded.eu> wrote:
>>
>>> On 29/10/2010 21:48, Ryan Barnett wrote:
>>>> - Users can now more easily toggle between traditional/standard mode vs.
>>>> anomaly scoring mode
>>>>   by editing the modsecurity_crs_10_config.conf file
>>>
>>> Hello list,
>>>
>>> This is the first time I post to this mailing list, so I'd like to say
>>> thanks to all who have contributed to this project.
>>>
>>> I have several questions about the ruleset, but, for now, reading about
>>> this new feature I'd like to ask whether toggling to standard mode also
>>> reverts logging back to the mod-security default, which records every
>>> message to the apache's error_log using the old format.
>>>
>>> Thanks in advance.
>>
>> Good question and the answer is yes.  In the 10 config file, you can edit
>> the SecDefaultAction setting to suit your needs -
>>
>> # You can also decide how you want to handle logging actions.  You have
>> three options -
>> #
>> #       - To log to both the Apache error_log and ModSecurity audit_log file
>> use - log
>> #       - To log *only* to the ModSecurity audit_log file use -
>> nolog,auditlog
>> #       - To log *only* to the Apache error_log file use - log,noauditlog
>> #
>> SecDefaultAction "phase:2,pass,nolog,auditlog"
>>
> 
> Just to clarify - the Anomaly Scoring Mode vs. Standard Mode is really about
> whether you want a single rule to block or not.  When talking about logging,
> you can choose where you want to log events regardless of anomaly scoring or
> standard detection mode.
> 
> So, you can run in anomaly scoring mode *and* also log to both the audit and
> error logs if you wish.
> 
> Hope this helps,
> Ryan

Thanks for the clarification. Although you had also written it in the
first message:

  - Removed logging actions from most rules so that it can be controlled
from the SecDefaultAction setting in the modsecurity_crs_10_config.conf file

... it seems that I didn't pay much attention to that new improvement.

Some of my questions had to do with the logging actions being hard-coded
into every rule, but now this is no more an issue for me.

Thanks for your reply and also for these excellent improvements.


More information about the Owasp-modsecurity-core-rule-set mailing list