# ------------------------------------------------------------------------ # OWASP CRS ver.4.24.0-dev # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2026 CRS project. All rights reserved. # # The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # This file is used in post processing after the response has been sent to # the client (in the logging phase). Its purpose is to provide inbound+outbound # correlation of events to provide a more intelligent designation as to the outcome # or result of the transaction - meaning, was this a successful attack? # # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # # Combine inbound and outbound scores SecAction \ "id:980099,\ phase:5,\ pass,\ t:none,\ nolog,\ noauditlog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.24.0-dev',\ setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\ setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\ setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\ setvar:'tx.detection_anomaly_score=+%{tx.detection_outbound_anomaly_score}',\ setvar:'tx.anomaly_score=%{tx.blocking_inbound_anomaly_score}',\ setvar:'tx.anomaly_score=+%{tx.blocking_outbound_anomaly_score}'" # # -=[ Anomaly Score Reporting ]=- # # -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0) SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING" # -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater) SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING" # -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0) SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING" # -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold) SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING" SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING" # -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2) SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING" # -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold) SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING" SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING" # -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3) SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING" # -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero) SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING" # -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4) SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING" # At this point, the reporting level is 4 and there's a non-zero detection # score (already established by rule 980043) so fall through to the reporting # rule. # Requests that land on the following SecMarker: # - At reporting level 5 (unconditional reporting) # - At reporting levels 1-4 when a blocking score exceeds a threshold # - At reporting levels 2-4 when a detection score exceeds a threshold # - At reporting levels 3-4 when the total blocking score is greater than zero # - At reporting level 4 when the total detection score is greater than zero SecMarker "LOG-REPORTING" # Inbound and outbound - all requests SecAction \ "id:980170,\ phase:5,\ pass,\ t:none,\ noauditlog,\ msg:'Anomaly Scores: \ (Inbound Scores: blocking=%{tx.blocking_inbound_anomaly_score}, detection=%{tx.detection_inbound_anomaly_score}, per_pl=%{tx.inbound_anomaly_score_pl1}-%{tx.inbound_anomaly_score_pl2}-%{tx.inbound_anomaly_score_pl3}-%{tx.inbound_anomaly_score_pl4}, threshold=%{tx.inbound_anomaly_score_threshold}) - \ (Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - \ (SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\ tag:'reporting',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.24.0-dev'" SecMarker "END-REPORTING" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-RESPONSE-980-CORRELATION"