[Owasp-modsecurity-core-rule-set] Basic questions; Anomaly Scoring & id's

Ben WIlliams benwilliams+owasp at joobworld.com
Wed Nov 21 22:34:22 UTC 2012


It's because modsecurity 2.7 requires id on each rule but the CRS don't
have ids on every rule. I'm unaware of a convention for choosing rule
numbers, maybe just choose any id number that is not currently used.


On Mon, Nov 19, 2012 at 1:29 AM, Gene <gnets1 at yahoo.co.uk> wrote:

>
>
> Hello,
>
> I'm trying out current OWASP core rule set and have some basic questions
> first (no doubt lots more later!)
>
> This article from 2010 about 'Anomaly Scoring' is referenced quite a lot:
>
> http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
>
> in the article there are references to 'Anomaly Scoring' and to examples
> But in the 10_conf.example file things seem to have shifted somewhat in 2
> years
> So am I correct that:
> 'Anomaly Scoring' has now become 'Collaborative Detection Scoring'
>
> Also in that article it mentions unblocking a rule at end of
> modsecurity_crs_49_inbound_blocking.conf
> However doing that results in this error:
> 'Starting httpd: Syntax error on line 34 of
> /etc/httpd/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf:'
> 'ModSecurity: No action id present within the rule'
>
> I'm pretty sure I read that all rules now require an 'id' (?)
> Incrementing by 1 from rules above it to give id:981177 doesnt work:
> 'ModSecurity: Found another rule with the same id'
>
> So what is method to get an id for this rule? any other rule?
>
> thanks
>
> Gene
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20121122/e36b69ce/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list