[mod-security-users] Operator GE matched 5 at TX:anomaly_score but no rule matched the request

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

i'm running mod_security 2.9.2 with current crs git master
(v3.0/master). I've some requests where no matching rule is logged to
the audit log except Operator GE matched 5 at TX:anomaly_score ... and
Operator GE matched 5 at TX:inbound_anomaly_score. Any ideas how to find
out why the anomaly score is > 0

Full log:
--2add8d70-A--
[29/Jan/2018:13:53:21 +0100] Wm8ZQY0z4w0DYRA6xm2k3QAAAA8 1.2.3.4 41438
1.2.3.5 443
--2add8d70-B--
GET
/wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.de%2Fwp-admin%2F&reauth=1
HTTP/2.0
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Ubuntu Chromium/63.0.3239.132 Chrome/63.0.3239.132 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=u4o0fs52l0j3bot1m8j4pjgsd3
Host: www.mydomain.de

--2add8d70-F--
HTTP/1.1 409 Conflict
Content-Length: 505
Content-Type: text/html; charset=iso-8859-1

--2add8d70-E--

--2add8d70-H--
Message: Access denied with code 409 (phase 2). Operator GE matched 5 at
TX:anomaly_score. [file
"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
[file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"]
[line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
Inbound Score: 10 -
SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "] [tag
"event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
1.2.3.4] ModSecurity: Access denied with code 409 (phase 2). Operator GE
matched 5 at TX:anomaly_score. [file
"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"]
[hostname "www.mydomain.de"] [uri "/wp-login.php"] [unique_id
"Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client
1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at
TX:inbound_anomaly_score. [file
"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line
"73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "]
[tag "event-correlation"] [hostname "www.mydomain.de"] [uri
"/wp-login.php"] [unique_id "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"]
Action: Intercepted (phase 2)
Apache-Handler: php-fastcgi5.6
Stopwatch: 1517230401011338 4605 (- - -)
Stopwatch2: 1517230401011338 4605; combined=3476, p1=296, p2=3080, p3=0,
p4=0, p5=100, sr=57, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/);
OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"

--2add8d70-Z--

Greets,
Stefan