OWASP CRS Anomaly scoring, ModSecurity WAF
I'm getting into OWASP CRS with ModSecurity and was investigating the way OWASP calculate the anomaly score in the REQUEST-901-INITIALIZATION.conf they set the following lines:
setvar:'tx.anomaly_score=0',\
setvar:'tx.anomaly_score_pl1=0',\
setvar:'tx.anomaly_score_pl2=0',\
setvar:'tx.anomaly_score_pl3=0',\
setvar:'tx.anomaly_score_pl4=0',\
and in the REQUEST-949-BLOCKING-EVALUATION.conf they do the following:
SecRule TX:PARANOIA_LEVEL "@ge 1" \
"id:949060,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"
enter preformatted text here
SecRule TX:PARANOIA_LEVEL "@ge 2" \
"id:949061,\
phase:2,\
pass,\
t:none,\
nolog,\
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'"
Q1: Of course the paranoia level will be 1, 2, 3 or 4, so why do the "@ge 1"? which will be evaluated on every paranoia level?
Q2: When they do the setVar "setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}" the equation will be tx.anomaly_score=tx.anomaly_score+tx.anomaly_score_pl2; is that right ? And how is this logically applicable if my request is being validated by multiple rules?
Q3: I would like to have a detailed example of how the OWASP CRS calculate the anomaly score and use it to deny the requests.
