[Owasp-modsecurity-core-rule-set] Correct place for custom scoring rules

Christian Folini christian.folini at netnea.com
Mon Jul 17 10:50:54 UTC 2017


Hey Cristian,

On Mon, Jul 17, 2017 at 12:29:16PM +0200, Cristian Mammoli wrote:
> Hi, I'm using crs 3 in "anomaly score mode" and I would like to add a couple
> of custom rules to "lower" the anomaly score before the final evaliuation

Makes sense. I thought about such scenarios as well, but I never really
tried it in practice.

> But where do I put it to have it processed before the final score is
> analyzed for rejection?

So the incoming score is evaluated in rule 949110 towards the end of
phase 2. Squeezing a rule after 948xxx and before 949110 is quite
difficult without changing the rule file(s).

I see two approaches:
- You remove rule 949110 on startup and re-create it yourself at the end
  of phase 2 together with your custom rules.
  Notice that there is report rule in the 98xxxx range that you
  might have to handle as well or it will mess up your log file
  with garbage reports based on the wrong scores.
- You do not lower the score before 949110 hits, but you start with
  -2 instead of 0 in a rule that runs after crs-setup.conf but before
  the rules files. However, I am not really sure ModSec allows for 
  negative numbers.

I am sure other methods are possible that these are the two I would
probably try out.

Cheers,

Christian


-- 
Und es gehen die Menschen zu bestaunen die Gipfel der Berge und die
ungeheuren Fluten des Meeres und die weit dahinfliessenden Ströme 
und den Saum des Ozeans und die Kreisbahnen der Gestirne und haben
nicht acht ihrer selbst.
--- Augustinus (354-430)


More information about the Owasp-modsecurity-core-rule-set mailing list