How do I set the anomaly score in crs-setup.conf?

Question

I am using v3.0.0 of CRS with ModSecurity set to DetectionOnly mode and the nginx connector. I want to set the anomaly score to 100 or so to fine-tune the settings, but I can't see where or how to do that. Looking in crs-setup.conf

nginx 1.18.0 if that helps

slightly_toasted · Accepted Answer · 2021-08-04T19:32:24.743

0

Anomaly scores for each severity level are set by default under rule ID 900100 in crs-setup.conf. If you want to modify these values you can un-comment and edit it.

Example:

SecAction \
 "id:900100,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.critical_anomaly_score=100,\
  setvar:tx.error_anomaly_score=75,\
  setvar:tx.warning_anomaly_score=50,\
  setvar:tx.notice_anomaly_score=25"

You can also play around with the threshold at which requests/responses get denied by modifying rule ID 900110, also in crs-setup.conf.

Example:

SecAction \
 "id:900110,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.inbound_anomaly_score_threshold=200,\
  setvar:tx.outbound_anomaly_score_threshold=300"

edited Aug 04 '21 at 19:32

answered Aug 04 '21 at 19:26

slightly_toasted

804
5
14

#slightly_toasted - thank you - I had no clue! – richardwhitney Aug 05 '21 at 20:57
Could you specify the meaning of those values? What is a normal anomaly score, and should we lower or raise that value to make ModSecurity less sensitive? – nonhocapito Jan 18 '23 at 05:43

How do I set the anomaly score in crs-setup.conf?

1 Answers1