[Owasp-modsecurity-core-rule-set] Correct place for custom scoring rules

Cristian Mammoli c.mammoli at apra.it
Mon Jul 17 10:29:16 UTC 2017


Hi, I'm using crs 3 in "anomaly score mode" and I would like to add a 
couple of custom rules to "lower" the anomaly score before the final 
evaliuation

For example I would like to reduce the anomaly score by 2 if the origin 
country is my own (Italy) or if the origin IP is from some ip address block

Actually I'm including the following file in my "master" modsecurity 
config file:

IncludeOptional /etc/httpd/modsecurity.d/*.conf
IncludeOptional /etc/httpd/crs/crs-setup.conf
IncludeOptional /etc/httpd/crs/rules/*.conf

For example I created the following rule:

SecAction \
  "id:10009,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
   setvar:'tx.low_risk_country_codes=IT'"

SecRule TX:LOW_RISK_COUNTRY_CODES "!^$" \
  "msg:'Client IP is from a LOW Risk Country Location.',\
   id:10010,\
   severity:'INFO',\
   nolog,\
   phase:request,\
   pass,\
   t:none,\
   chain"
   SecRule TX:REAL_IP "@geoLookup" \
    "chain"
     SecRule GEO:COUNTRY_CODE "@within %{tx.low_risk_country_codes}" \
      "setvar:'tx.msg=%{rule.msg}',\
       setvar:tx.anomaly_score=-%{tx.notice_anomaly_score}

But where do I put it to have it processed before the final score is 
analyzed for rejection?

Thanks


-- 
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)



More information about the Owasp-modsecurity-core-rule-set mailing list