[mod-security-users] Rule actions in CRS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Rule actions in CRS
|
From: Eirik Ø. - M. <ltn...@an...> - 2018-04-09 08:25:50
|
Hi, I understand that the recommended way of using the CRS is the "Anomaly scoring" mode. Taking that into account, and considering this is a quite new installation and we're seeing a lot of FPs (this is in the nature of our applications and those that interact with it), we've followed the recommendations in crs-setup.conf.sample and adjusted paranoia level and thresholds accordingly. However, it seems that a large number of the CRS rules are firing independently, regardless of the accumulated anomaly scores. Is this because we're running in DetectionOnly mode? Or is it because many of the rules explicitly say 'block'? In some cases, we see the audit log containing multiple messages for a transaction, showing that the anomaly thresholds are consulted. In others - in fact most - we see only a single message from a single rule that has fired. Apologies if I have misunderstood how this works - I'm just hoping we can make effective use of this without first learning all the intricacies of the CRS ruleset. Wbr /Eirik |
