I found somewhere else in Stack OverFlow this
You’ve a few options:
- Use anomaly scoring and the sql_injection_score value that the
OWASP CRS sets for SQLi rules.
Set your mode to DetectionOnly. Set your anomaly scoring values very
high in Add a new rule that blocks if sql_injection_score is above a
certain amount. This can be achieved with an extra rule like this:
SecRule tx.sql_injection_score "@gt 1”
"id:9999,\
phase:5,\
ctl:ruleEngine=on \
block" Setting the ”@gt 1” to an appropriate threshold.
The OWASP CRS sets similar variables for other categories as well.
- Load rules individually and rules before and after to turn rule
engine on and off.
Within a phase rules are executed in order specified. You can use this
to have config like the following:
SecRuleEngine DetectionOnly Include rules/other_rules_1.conf Include
rules/other_rules_2.conf SecAction “id:9000, phase:2, ctl:
ctl:ruleEngine=on” Include rules/sqli_rules.conf SecAction “id:9001,
phase:2, ctl: ctl:ruleEngine=off” Include rules/other_rules_3.conf
Include rules/other_rules_4.conf However if a category contains
several phases then you’ll need to add several SecActions - one for
each phase used.
- Active the rules you want by altering the Actions to include
turning on the ruleEngine.
Set your mode to DetectionOnly. Use SecRuleUpdateActionById to add a
ctl:ruleEngine=on to the rules you want on. It would be nice if there
was a SecRuleUpdateActionByTag or SecRuleAddActionByTag but there
isn’t (though it has been asked for in the past). This is probably a
bit fragile as depends on knowing the specific rule ids and also
requires checking the actions per rule or assuming they are all the
same. Probably better to just edit the CRS files to be honest.
This is probably the best if you want to only enable a set of rules,
rather than a full category.
Source: How do I configure the ModSecurity engine to be ON for a single attack type and DetectionOnly for all others?
