• caglararli@hotmail.com
  • 05386281520

OWASP CRS Anomaly scoring, ModSecurity WAF

Çağlar Arlı      -    13 Views

OWASP CRS Anomaly scoring, ModSecurity WAF

I'm getting into OWASP CRS with ModSecurity and was investigating the way OWASP calculate the anomaly score in the REQUEST-901-INITIALIZATION.conf they set the following lines:

setvar:'tx.anomaly_score=0',\
setvar:'tx.anomaly_score_pl1=0',\
setvar:'tx.anomaly_score_pl2=0',\
setvar:'tx.anomaly_score_pl3=0',\
setvar:'tx.anomaly_score_pl4=0',\

and in the REQUEST-949-BLOCKING-EVALUATION.conf they do the following:

SecRule TX:PARANOIA_LEVEL "@ge 1" \
    "id:949060,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"
enter preformatted text here
SecRule TX:PARANOIA_LEVEL "@ge 2" \
"id:949061,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'"

Q1: Of course the paranoia level will be 1, 2, 3 or 4, so why do the "@ge 1"? which will be evaluated on every paranoia level?

Q2: When they do the setVar "setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}" the equation will be tx.anomaly_score=tx.anomaly_score+tx.anomaly_score_pl2; is that right ? And how is this logically applicable if my request is being validated by multiple rules?

Q3: I would like to have a detailed example of how the OWASP CRS calculate the anomaly score and use it to deny the requests.