1

Hi I am trying to tweak down the anomaly score for a web page that has free text in it.

I have found the anomaly score can be customized per rule basis in the core rule set and that it can be increased overall. But I'd like to do this specifically for a page and more specifically just for that free text.

https://coreruleset.org/

Technoshaft
  • 679
  • 6
  • 18

2 Answers2

2

Guess you're talking about CRS :).

The anomaly scoring mechanism uses the severity level of rules. Every rule has a severity level, which could be one of the notice (with points 2), warning (3), error (4), critical (5) (these are defined in this file).

If I understand you the best what you can do is a new custom SecAction into your vhost config (with unique ID!), which increase/decrease these values, eg. like this:

SecAction \
    "id:901701,\
    phase:1,\
    pass,\
    t:none,\
    setvar:'tx.notice_anomaly_score=10',\
    setvar:'tx.warning_anomaly_score=20',\
    setvar:'tx.error_anomaly_score=30',\
    setvar:'tx.critical_anomaly_score=40'"
airween
  • 6,203
  • 1
  • 14
  • 20
  • Hi @airween, yes that is correct. I am aware we can tweak the anomaly score per rule, but what I am after is, tweaking that score per rule but lets say just on one url or one textbox etc. Thanks! – Technoshaft Nov 09 '20 at 14:45
  • So technically this is correct answer, if anyone wanted to do it in the location block, my requirement is to do it through rules for a specific text-box. – Technoshaft Nov 25 '20 at 17:08
0

I think you can clone the original rule and update the anomaly score, you can specify the a match to trigger as required.

setvar:'tx.critical_anomaly_score=5'"

Alternatively you can

SecRuleUpdateActionById xxxxxx "setvar:tx.anomaly_score=+xx"
user1978601
  • 53
  • 1
  • 7