[Owasp-modsecurity-core-rule-set] Anomaly Scoring logging

Avi Rosenblatt avi at greensmoke.net
Wed Nov 14 18:38:41 UTC 2012


Thanx for the response.
I used that blog post as a guide and set SecDefaultAction to "phase:2,pass,nolog,auditlog" but I still get apache log messages for rule matches even though their score is below the threshold.
By the way I am using v2.2.5 of the owasp CSR.
Thanx
Avi

On 2012-11-14, at 7:09 PM, Ryan Barnett <RBarnett at trustwave.com> wrote:

> Please refer to this blog post -
> http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-v
> s-anomaly-scoring-detection-modes.html
> 
> Specifically the section on "Alert Management - Correlated Events".
> 
> --
> Ryan Barnett
> Lead Security Researcher
> Trustwave - SpiderLabs
> 
> 
> On 11/14/12 9:41 AM, "Avi Rosenblatt" <avi at greensmoke.net> wrote:
> 
>> Hi,
>> I have configured the CRS to use anomaly scoring and raised the inbound
>> score level in order to reduce false positives. I'm currently running our
>> server in detectiononly mode and I'm getting error log and audit log
>> messages for any rule match regardless of score. Is there a way to only
>> log messages when a threshold has been reached. Thanx in advance for the
>> help.
>> 
>> Avi
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>> 
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 

Avi Rosenblatt
IT Manager
avi at greensmoke.net
305-600-4362
-------------------------
Green Smoke, Inc. USA
It's Electric™

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20121114/b506d1da/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list