ModSecurity - tx variables in CRS

Question

I would like to apply ModSecurity CRS in my project. However, I have few questions related to this. Can anybody explain, why the rule:

SecRule REQUEST_FILENAME "@pm nessustest appscan_fingerprint" \
    "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990902',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"

contains these actions:

setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}

Why do we need to put the message in transaction collection? Why do we need to set the anomaly score? Why do we need to this:

setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}

Any info would be highly appreciated. Thank you in advance.

Best Regards, Maksim

score 0 · Answer 1 · edited Dec 15 '15 at 05:05

0

Ok, got it.

There are two modes:

Self-contained mode: when rules just block the request
collaborative mode: rules block the request, which have big anomaly score

edited Dec 15 '15 at 05:05

Eugene S

6,709
8
57
91

answered Dec 14 '15 at 15:56

user3489820

1,459
3
22
38

ModSecurity - tx variables in CRS

1 Answers1