We have multiple options and we start with the simplest one: We exclude the rule at startup time for Apache.
We now add two Include directives into this section.
That was only a single request with a single alert.
Its the second-to-last value in the access log line.The default is paranoia level 1, where the rules are quite sane and false alarms are rare.If you were securing Nginx with Mod Security then you would like to have owasp core rule set (CRS) activated to protect from following threats.Particularly since the individual Core Rules increase the anomaly score, but they do not trigger a blockade.Especially at higher paranoia levels, there are rules that just fail to work with some florida home inspection report forms applications and trigger false alarms in all sorts of situations.But its perhaps necessary to explain the one-liners.# ModSecurity Core Rules Inclusion Include /apache/conf/crs/rules.conf # ModSec Core Rules: Startup Time Rules Exclusions #.We define two thresholds in the unconditional rule 900110 : The inbound anomaly score and the outbound anomaly score.We will also be integrating the owasp ModSecurity Core Rule Set (CRS).Specifically, we need to find out about these numbers.
In fact, I provoked additional false alarms to give us something to look.Trojan protection, information leakage protection, cross Site Scripting attacks, sQL injection attacks.We use ruleRemoveById as the control statement and apply it to rule ID 920300.An important rule file.Before the script can handle the scores, it describes how often an empty anomaly score has been found ( empty incoming score ).Together with the empty scores, this is already covering.61 ( Sum of ).These references can, for example, be used for analysis and statistics.
This depends on the SecRule statement running before the rule in question is applied.
But in production use, there are going to be false positives sooner or later.