[Owasp-modsecurity-core-rule-set] Basic questions; Anomaly Scoring & id's

Gene gnets1 at yahoo.co.uk
Sun Nov 18 12:29:28 UTC 2012



Hello,

I'm trying out current OWASP core rule set and have some basic questions first (no doubt lots more later!)

This article from 2010 about 'Anomaly Scoring' is referenced quite a lot:
http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html

in the article there are references to 'Anomaly Scoring' and to examples
But in the 10_conf.example file things seem to have shifted somewhat in 2 years
So am I correct that:
'Anomaly Scoring' has now become 'Collaborative Detection Scoring'

Also in that article it mentions unblocking a rule at end of modsecurity_crs_49_inbound_blocking.conf
However doing that results in this error:
'Starting httpd: Syntax error on line 34 of /etc/httpd/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf:'
'ModSecurity: No action id present within the rule'

I'm pretty sure I read that all rules now require an 'id' (?)
Incrementing by 1 from rules above it to give id:981177 doesnt work:
'ModSecurity: Found another rule with the same id'

So what is method to get an id for this rule? any other rule?

thanks

Gene


More information about the Owasp-modsecurity-core-rule-set mailing list