|
From: Christian F. <chr...@ne...> - 2018-01-29 19:54:38
|
Hey Stefan,
On Mon, Jan 29, 2018 at 04:29:33PM +0100, Stefan Priebe - Profihost AG wrote:
> I had a rule chained into to SecRule commands.
>
> I had
> SecRule C D ..chain,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}..
> SecRule A B ...
>
> it seemed all requests which matched Rule "C D" already got the anomaly
> score. I believed this only happens in case A B matches as well as
> they're chained.
That's a common misconception. And it happened to me as well. :)
The ModSec Handbook (2nd ed, p. 371) reads: Nondistruptive actions can be used
anywhere in the chain. They'll be executed immediately after an individual
rule matches.
When working with anomaly scores, you need put the setvar on the last
rule in the chain, like we do in the CRS. See 920180 for example.
Ahoj,,
Christian
--
All of the great leaders have had one characteristic in common: it
was the willingness to confront unequivocally the major anxiety of
their people in their time. This, and not much else, is the
essence of leadership.
-- John Kenneth Galbraith
|
