![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2022-11-30
目錄
- Feature
- Virtual Patching
- Security Model
- Phase
- id range
-
Rule 入門 - SecRule 與 SecAction
Variables
Operators
Actions - More Example
- SecMarker
- 應用: Block Proxy
- 應用: POST 必須有 Content-Length
- 應用: Whitelist IP address
- 應用: Bypass WAF by URL
- 應用: Bypass a rule by URL
- 應用: Block Countries
- 應用: HTTP Policy Settings
- Block by Arguments
- Anti-Automation / DoS Protection
- 常要修改的 Rules
- 別人寫好的 Rules
- CRS Rule Files
- Anomaly Scoring Mode (Default in CRS3)
- Doc
Feature
XML support (parsing, validation, XPath)
Regular Expression back-references (allows one to create custom variables using transaction content)
Data persistence(feature to track IP addresses, application sessions, and application users)
Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
Virtual Patching
* just-in-time patching
使用原因: Fixing identified vulnerabilities in web applications(i.e. Wordpress) always requires time.
Security Model
Negative Security Model - looks for known bad, malicious requests.
This method is effective at blocking a large number of automated attacks,
however it is not the best approach for identifying new attack vectors.
Using too many negative rules may also negatively impact performance.
Positive Security Model
When positive security model is deployed,
only requests that are known to be valid are accepted, with everything else rejected.
This approach works best with applications that are heavily used but rarely updated.
Virtual Patching - Its rule language makes ModSecurity an ideal external patching tool.
External patching is all about reducing the window of opportunity.
Time needed to patch application vulnerabilities often runs to weeks in many organizations.
With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it),
making your systems secure until a proper patch is produced.
Extrusion Detection Model
ModSecurity can also monitor outbound data and identify and block information disclosure issues
such as leaking detailed error messages or Social Security Numbers or Credit Card Numbers.
Phase
Five processing phases
- Phase 1: Request Headers
-
Phase 2: Request Body
---------------------------------- - Phase 3: Response Headers
-
Phase 4: Response Body
---------------------------------- - Stage 5: Logging
* Keep in mind that rules are executed according to phases
=> The order of rules in the configuration file is important only within the rules of each phase.
(so even if two rules are adjacent in a configuration file, but are set to execute in different phases)
* The data available in each phase is cumulative.
* The LOGGING phase is special.
It is executed at the end of each transaction no matter what happened in the previous phases.
transaction = HEAD / GET / POST ...
Precedence of Apache modules
The various phases are hooked into the Apache request lifecycle together with the other Apache modules.
On each hook, there can be more than one module being executed.
When examining the response, ModSecurity tries to be as early as possible.
For example, the phase 3 and phase 4 will run before mod_headers.
So if you want to edit HTTP response headers with mod_headers (adding the secure-flag to cookies springs to mind),
you will usually have to wait until ModSecurity phase 5
設定 Default 的 Action
Syntax: SecDefaultAction "action1,action2,action3"
Default: phase:2,log,auditlog,pass
* which will be inherited by the rules in the same configuration context
* Every rule following a previous SecDefaultAction
* must specify a disruptive action and a processing phase and cannot contain metadata actions.
i.e.
# 它是有 phase1 及 phase2 的預設 action, 所以要兩行
SecDefaultAction "phase:1,log,deny,status:417" SecDefaultAction "phase:2,log,deny,status:417"
id range
* The id action is required for all SecRule/SecAction directives as of v2.7.0
1–99,999
reserved for local (internal) use. Use as you see fit, but do not use this range for rules that are distributed to others
...
900,000–999,999
reserved for the OWASP ModSecurity Core Rule
Set http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_... project
...
4,301,000-19,999,999
unused (available for reservation)
...
22,000,000-69,999,999
unused (available for reservation)
...
99,000,000-99,099,999 reserved for use by Microsoft
https://azure.microsoft.com/en-us/services/web-application-firewall/
...
Rule 入門 - SecRule 與 SecAction
SecAction Syntax
SecAction ACTIONSUnconditionally processes the action list it receives as the first and only parameter.
SecRule Syntax
SecRule VARIABLES OPERATOR [ACTIONS]
* 可以用 SecDefaultAction 設定 Default ACTION
i.e.
當 HEADER TEST 的 Value 係 0 時就會觸發 Action
SecRule REQUEST_HEADERS:TEST "@eq 0" "phase:1,id:1,deny,log,status:417"
* 使用 "\" 可以把 Rule 分行
SecRule REQUEST_HEADERS:TEST \
"@eq 0" \
"phase:1,id:1, \
deny,log,status:417"
Variables
REQUEST_HEADERS:Header-Name
* Header-Name 係不分大細階, Value 係有分
i.e.
REQUEST_HEADERS:TEST
情況: multiple headers that have identical names
- Apache: concatenated into a single header with a comma as the deliminator.
REQUEST_HEADERS_NAMES
一個包含所有 Header-Name 的表, 它的 Value 係有分大細階
REQUEST_FILENAME 與 REQUEST_URI, QUERY_STRING
REQUEST_FILENAME
This variable holds the relative request URL without the query string part
(e.g. /index.php)
REQUEST_URI
This variable holds the full request URL including the query string data
(e.g. /index.php?test=true)
QUERY_STRING
always provided raw, without URL decoding taking place.
e.g.
- /?test=true
- /?test
ARGS
可以用以下3個方法check Parameter
- SecRule ARGS "!\w" "id:7"
- SecRule ARGS:id "!\w" "id:8"
- SecRule ARGS:/^id_/ "!\w" "id:9"
* 此 checking 沒有分大細階
另有
- ARGS_GET / ARGS_GET_NAMES
- ARGS_POST / ARGS_POST_NAMES
Notes
phase:1 與 phase:2 係有分別的 !!
# Block By Parameter Checking
SecRule REQUEST_FILENAME "^/test\.php" \
"id:2,phase:1,deny,t:lowercase,t:normalizePath,msg:'Block by Parameter',chain"
SecRule ARGS:test1 "!\d" ""* 由於是 phase1, 所以 check 唔到 POST
當改成 phase:2 時, POST parameter will overwrite the GET
The order in which parameters are taken from the request and the environment is EGPCS
(environment, GET, POST, Cookies, built-in variables).
REQUEST_METHOD
SecRule REQUEST_METHOD "^(?:CONNECT|TRACE)$" "id:50,t:none"
REQBODY_ERROR
# Contains the status of the request body processor
# 0 (no error) or 1 (error)
TX
# This is the transient transaction collection, which is used to store pieces of data
TX:0: the matching value when using the @rx or @pm operator with the capture action
TX:1-TX:9: the captured subexpression value when using the @rx operator with capturing parens and the capture action
* tx and TX are the same collections, without case sensitive
Set:
# Prepare custom REMOTE_ADDR variable
SecAction "phase:1,id:1,nolog,pass,setvar:tx.REMOTE_ADDR=/%{REMOTE_ADDR}/"應用:
# Block the transactions whose scores are too high
SecRule TX:SCORE "@gt 20" "phase:2,id:83,log,deny"
MATCHED_VAR_NAME
# This variable holds the full name of the variable that was matched against.
Notes
Variables 支援 Or ("|") 一起
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES ...
Operators
- @rx regex # regular expressions
-
簡化的 regex
@beginsWith
@endsWith
@contains
@containsWord
@strmatch
@within - & # count how many variables there are in a collection
- @eq vs @streq
- @ipMatch, @ipMatchFromFile(@ipMatchF)
- @pm / @pmFromFile
- @gsbLookup
- @detectSQLi, @detectXSS
- ...
@rx operator
# 如果 MyTest3 存在, 它必須是數字
SecRule REQUEST_HEADERS:MyTest3 "!@rx ^\d+$" "id:3,phase:1,deny,log,msg:'MyTest3'"
* The entire input is treated as a single line, even when there are newline characters present.
The PCRE_DOTALL and PCRE_DOLLAR_ENDONLY flags are set during compilation,
meaning that a single dot will match any character, including the newlines, and
a $ end anchor will not match a trailing newline character.
* All matches are case-sensitive.
* 當 VAR 不存在時, 不會 true, 因為空的 Header 不會傳遞
* Every SecRule must have an OPERATOR, if none is listed @rx is implied.
SecRule REQUEST_HEADERS:MyTest3 "!^\d+$" "id:3,phase:1,deny,log,msg:'MyTest3'"
Notes
"^regex$" # 要完全中
"(?i)TEST4" # 對比 Value 時不分大細階(TEST4, test4, Test4 ...)
php 的 $_SERVER: MyTest -> HTTP_MYTEST
@within
regex 版
SecRule REQUEST_METHOD "^(?!(?:GET|HEAD|POST|OPTIONS))" \ "id:11,phase:1,deny,t:none,msg:'Block by REQUEST METHOD'"
@within 版
SecRule REQUEST_METHOD "!@within GET,HEAD,POST,OPTIONS))" \ "id:11,phase:1,deny,t:none,msg:'Block by REQUEST METHOD'"
strmatch
The operator uses the pattern matching Boyer-Moore-Horspool algorithm,
which means that it is a single pattern matching operator.
& operator
# check "Content-Length" header 是否存在
SecRule &REQUEST_HEADERS:Content-Length "@eq 0"@eq vs @streq
eq: numerical comparison
streg: returns true if the parameter string is identical to the input string
ipMatch, ipMatchFromFile
SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/24,192.168.1.50" "id:1,allow"
# @ipMatchF = @ipMatchFromFile
SecRule REMOTE_ADDR "@ipMatchF ip.txt" "id:1,allow"
* ip.txt 不支援 comment
* 修改它後須 "nginx -s reload"
pm / pmFromFile
Performs a case-insensitive match of the provided phrases against the desired input value.
The operator uses a set-based matching algorithm (Aho-Corasick),
which means that it will match any number of keywords in parallel.
* this operator does not check for boundaries when matching, false positives are possible in some cases.
1.2.3.4 will potentially match more than one IP address (e.g., it will also match 1.2.3.40 or 1.2.3.41)
# Prepare custom REMOTE_ADDR variable
SecAction "phase:1,id:1,nolog,pass,setvar:tx.REMOTE_ADDR=/%{REMOTE_ADDR}/"
# Check if REMOTE_ADDR is blacklisted
SecRule TX:REMOTE_ADDR "@pmFromFile /etc/httpd/modsecurity.d/blacklist.txt" \
"phase:1,id:2,deny,msg:'Blacklisted IP address'"gsbLookup
Performs a local lookup of Google's Safe Browsing using URLs in input
against the GSB database previously configured using SecGsbLookupDb.
@detectSQLi, @detectXSS
This operator uses LibInjection to detect SQLi & XSS attacks.
Actions
"id:8888,phase:1,log,deny,status:417,msg:'admin block rule'"
phase
Places the rule in Phase 1 processing
log
Rule matches appear in both the error and audit logs.
* log 要在 deny 時才 log 到 nginx 的 error_log
* status 在 deny 時才有用
deny
If no actions are provided, the default list will be used.
* "SecRuleEngine On" 時 deny 才有效
status
不是所有 "status codes" 都可以用, 因為它們有自己的意思 ! ie. 488
417: Expectation Failed
The server cannot meet the requirements of the Expect request-header field.
chained rule
action 含有 "chain" 的 Rules 就叫 chained rule
Chained rules allow for more complex processing logic. (simulate logical AND)
Chains the rule where the action is placed with the rule that immediately follows it.
* The disruptive actions specified in the first portion of the chained rule will be triggered only
if all of the variable checks return positive hits.
* The metadata actions (e.g., id, rev, msg) can be used only in the chain starter.
The following directives can be used in rule chains:
SecAction
SecRule
SecRuleScript
The metadata actions
id
* The id action is required for all SecRule/SecAction directives as of v2.7.0
tag
Description: Assigns a tag (category) to a rule or a chain.
rev
Description: Specifies rule revision.
用圖: It is useful in combination with the id action to provide an indication that a rule has been changed.
severity, maturity, accuracy
i.e.
severity:'6',\ maturity:'9',\ accuracy:'9',\
severity # Meta-data 0(EMERGENCY)~7(DEBUG)
形容 rule 的緊要性
maturity # Meta-data 1~9
用來形容某 rule 有多成熟 (9 代表經歷測試沒有問題)
accuracy # Meta-data 1~9
形容某 rule 會 false positives/negatives 的機會
Transformation functions
Action: t
To transform the value of each variable used in the rule before matching.
* The transformations will be performed in the order in which they appear in the rule.
t:lowercase
t:replaceNulls - replaces NULL bytes in input with spaces
t:compressWhitespace
t:trim - Removes whitespace from both the left and right sides of the input string.
t:removeWhitespace
t:length
t:sha1
t:md5
t:none
remove all transformation functions associated with the current rule.
SecDefaultAction 可能設定了 transformation
Usefule Action
redirect
SecRule REQUEST_HEADERS:User-Agent "Test" "phase:1,id:130,log,redirect:http://www.example.com/failed.html"
block
Performs the disruptive action defined by the previous SecDefaultAction
應用: SecRuleUpdateActionById
# Detect attacks and block SecRule ARGS attack1 phase:2,id:1,deny # Change how rule ID 1 blocks SecRuleUpdateActionById 1 block
exec
Description: Executes an external script/binary supplied as parameter.
As of v2.5.0, if the parameter supplied to exec is a Lua script (detected by the .lua extension) the script will be processed internally.
This means you will get direct access to the internal request context from the script.
External scripts will always be called with no parameters.
Some transaction information will be placed in environment variables.
The script you execute must write something (anything) to stdout; if it doesn’t,
ModSecurity will assume that the script failed, and will record the failure.
capture
create copies of the regular expression captures and
place them into the transaction variable collection (TX:1~TX:9) # 有分大細階
SecRule REQUEST_BODY "^username=(\w{25,})" phase:2,id:105,capture,t:none,chain
SecRule TX:1 "(?:(?:a(dmin|nonymous)))"logdata
Logs a data fragment as part of the alert message.
Macro expansion is performed, so you may use variable names such as %{TX.0} or %{MATCHED_VAR}
SecRule ARGS:p "@rx <script>" "phase:2,id:118,log,pass,logdata:%{MATCHED_VAR}"
Macro Expansion
place holders in rules that will be expanded out to their values at runtime.
It can be used in actions such as initcol, setsid, setuid, setvar, setenv, logdata.
Operators: @beginsWith, @endsWith, @contains, @within, @streq, @rx
Macro: REMOTE_ADDR, MATCHED_VAR, MATCHED_VAR_NAME, TX
Format:
- %{VARIABLE}
- %{COLLECTION.VARIABLE}
logdata example
# 使用 "%{TX.1}"
- action 必須有 capture, 否則 "%{TX.1}" 會是 Null
- %{TX.1} = %{tx.1} # 不分有細階, 必須用 "." 調用 (這是 format 來)
- %{TX.0} = %{MATCHED_VAR}
# Test: logdata
SecRule REQUEST_HEADERS:TEST4 "A(.*)C" \
"phase:1,id:4,deny,capture, \
logdata:'Matched Data: %{tx.1} found within %{MATCHED_VAR_NAME}:%{MATCHED_VAR}'"nolog
Although nolog implies noauditlog, you can override the former by using nolog,auditlog
drop, initcol, deprecatevar, setvar 的組合應用
# If the client goes over the threshold of more than 25 attempts in 2 minutes, it will DROP subsequent connections.
initcol
Initializes a named persistent collection,
either by loading data from storage or by creating a new collection in memory.
Collections are loaded into memory on-demand
Persistent Storage: GLOBAL, RESOURCE, IP, SESSION and USER
SecDataDir /path/to/dir
setvar
Variable names are case-insensitive
To create a variable and initialize it at the same time, use: setvar:TX.score=10
To remove a variable, prefix the name with an exclamation mark: setvar:!TX.score
To increase or decrease variable value, use + and - characters in front of a numerical value: setvar:TX.score=+5
* You should use the expirevar actions at the same time that you use setvar actions in order to keep the intended expiration time.
expirevar
Not yet supported in v3
A collection variable to expire after the given time period (in seconds)
expirevar:ip.auth_attempt=3600
deprecatevar
Not supported in v3
Decrements numerical value over time,
which makes sense only applied to the variables stored in persistent
drop
In ModSecurity v3 this action currently functions the same as the deny action.
v2
Initiates an immediate close of the TCP connection by sending a FIN packet.
SecMarker
Syntax: SecMarker ID|TEXT
Adds a fixed rule marker that can be used as a target in a skipAfter action.
* skipAfter action works only within the current processing phase(1,2,3,4)
應用: 跳過一堆 Rule
# Require Accept header, but not from access from the localhost
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,id:143,skipAfter:IGNORE_LOCALHOST"
# This rule will be skipped over when REMOTE_ADDR is 127.0.0.1
SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny,id:144,msg:'Request Missing an Accept Header'"
SecMarker IGNORE_LOCALHOST
More Example
# Test 1: 當 MyTest1 存在且是數字時才 true => Header 不存在時就會不會 true
SecRule REQUEST_HEADERS:MyTest1 "^\d+$" "id:1,phase:1,log"
# Test2: Header 名稱是不分大細階, 但 Value 有分, 所以要用 "t:lowercase" 轉一轉
SecRule REQUEST_HEADERS:MyTest2 "!@containsWord chunked" "id:1,phase:1,log,t:lowercase"
# Test 3: 當 MyTest3 存在時才 check 是否 "chunked"
SecRule &REQUEST_HEADERS:MyTest3 "!@eq 0" "id:1,msg:'My Test Rule'chain"
SecRule REQUEST_HEADERS:MyTest3 "!@containsWord chunked" "t:lowercase"# Test 4: Denylist rules
SecRule REQUEST_FILENAME "/phpmyadmin" "id:10000,phase:1,deny,log,t:lowercase,t:normalizePathWin,\
msg:'Blocking access to %{MATCHED_VAR}.',tag:'Denylist Rules'"t:normalizePathWin
Same as normalizePath, but first converts backslash characters to forward slashes.
t:normalizePath
Removes multiple slashes, directory self-references, and directory back-references
(except when at the beginning of the input) from input string.
# Test 5: Log more
SecRule REMOTE_ADDR "@streq 127.0.0.1" "id:12000,phase:1,pass,log,auditlog,\
msg:'Initializing full traffic log'"
應用: Block Proxy
SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" \
"log,deny,id:48,status:403,t:lowercase,msg:'Proxy Server Used'"
應用: POST 必須有 Content-Length
# Accept only digits in content length
SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" "id:11,phase:1,deny,log"
# Block non-chunked POST which without Content-Length on non-h2 connection
SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" "id:12,phase:1,deny,log,chain"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "chain"
SecRule REQUEST_HEADERS:Transfer-Encoding "!@containsWord chunked"
1. Sending the content-length header is optional in HTTP/2.
In the frame headers for a user agent to determine when a resource has been sent in full.
在 HTTP/2 content-length header 的作用:
user agent 見係 large resources cached straight to disk, small ones in memory
應用: Whitelist IP address
# uninterrupted access (log rule alerts only)
SecRule REMOTE_ADDR "^192\.168\.1\100$" \ id:2001,\ phase:1,\ nolog,\ allow,\ ctl:ruleEngine=DetectionOnly
# disable both the rule and audit engines
SecRule REMOTE_ADDR "^192\.168\.1\100$" \
phase:1,id:2002,\
allow,nolog,\
ctl:ruleEngine=Off,ctl:auditEngine=Off使用 @ipMatch 及 @ipMatchFromFile
@ipMatch 192.168.1.101
@ipMatchFromFile whitelist_ip.txt
192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
應用: Bypass WAF by URL
SecRule REQUEST_URI "@beginsWith /favicon.ico" \ phase:1,id:2003,\ pass,nolog,\ ctl:ruleEngine=Off"
應用: Bypass a rule by URL
# exclude the "password" parameter for rule 942100 when the REQUEST_URI is /index.php
SecRule REQUEST_URI "@beginsWith /index.php" \
"id:1001,\
phase:1,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=942100;ARGS:password"
應用: Block Countries
ModSecurity v3 uses GeoLite2 (.mmdb files)
https://github.com/maxmind/geoipupdate
Install
wget https://github.com/maxmind/geoipupdate/releases/download/v4.8.0/geoipupd...
rpm -Uvh geoipupdate_4.8.0_linux_amd64.rpm
Config File
/etc/GeoIP.conf
Rule Setting
SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,drop,msg:'Block IP address'" SecRule GEO:COUNTRY_CODE "!@streq HK" SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,drop,msg:'Block IP address'" SecRule GEO:COUNTRY_CODE "!@pm HK CN"
應用: HTTP Policy Settings
# HTTP methods that a client is allowed to use.
SecAction \ "id:900200,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
SecAction \ "id:900220,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| ...'"
# Forbidden file extensions
SecAction \ "id:900240,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.restricted_extensions=.asa/ ...'"
Block by Arguments
# Block request if number of arguments is too high
SecAction \
"id:900300,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.max_num_args=3"# Block request if the length of any argument name is too high
SecAction \ "id:900310,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.arg_name_length=5"
# Block request if the length of any argument value is too high
SecAction \ "id:900320,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.arg_length=40"
# Block request if the file size of any individual uploaded file is too high
SecAction \ "id:900340,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.max_file_size=1048576"
Anti-Automation / DoS Protection
# Requests to static files are not counted towards DoS; they are listed in the 'tx.static_extensions' setting
在 tx.dos_burst_time_slice 內超過 tx.dos_counter_threshold 為之 1 次 burst
2 次後就會 block tx.dos_block_timeout
SecAction \ "id:900700,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.dos_burst_time_slice=5',\ setvar:'tx.dos_counter_threshold=10',\ setvar:'tx.dos_block_timeout=60'"
常要修改的 Rules
Host header is a numeric IP address
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
id "920350" msg "Host header is a numeric IP address"
別人寫好的 Rules
免費
收費(Commercial Rules)
它們多數用到 SecRemoteRules
Anomaly Scoring Mode (default in CRS3)
In this mode, each matching rule increases an 'anomaly score'.
At the conclusion of the inbound rules, the anomaly score is checked
blocking evaluation rules apply a disruptive action, by default returning an error 403
Self-Contained Mode
In this mode, rules apply an action instantly.
This was the CRS2 default. It can lower resource usage.
Paranoia level
1 is default (for beginners)
2 includes many extra rules
3 enables more rules and keyword lists, and tweaks limits on special characters used
4 further restricts special characters (highest level)
Setting
SecAction \ "id:900000,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.paranoia_level=1"
Anomaly Mode Severity Levels
* these scores are cumulative
5 CRITICAL (93x and 94x files)
4 ERROR (95x files)
3 WARNING (91x files)
2 NOTICE (92x files)
#SecAction \ # "id:900100,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.critical_anomaly_score=5,\ # setvar:tx.error_anomaly_score=4,\ # setvar:tx.warning_anomaly_score=3,\ # setvar:tx.notice_anomaly_score=2"
Blocking Threshold Levels
#SecAction \ # "id:900110,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.inbound_anomaly_score_threshold=5,\ # setvar:tx.outbound_anomaly_score_threshold=4"
Doc
