# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.4
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------



# Uncomment the anomaly sections you wish to use.
# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match.  If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "@gt 20".  This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
# You should also set the desired disruptive action (deny, redirect, etc...).
#

# Alert and Deny on High Anomaly Scores
#
SecRule TX:ANOMALY_SCORE "@ge 20" \
    "phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"

# Alert on any anomalies
#
#SecRule TX:ANOMALY_SCORE "@ge 0" \
#    "phase:2,t:none,nolog,auditlog,pass,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"

# Alert on SQL Injection anomalies
#
#SecRule TX:SQLI_SCORE "@gt 0" \
#    "phase:2,t:none,log,deny,msg:'SQL Injection Detected (score %{TX.SQLI_SCORE}): %{tx.msg}'"

# Alert on XSS anomalies
#
#SecRule TX:XSS_SCORE "!@eq 0" \
#    "phase:2,t:none,log,deny,msg:'XSS Detected (score %{TX.XSS_SCORE}): %{tx.msg}'"

# Alert on Protocol Policy anomalies
#
#SecRule TX:PROTOCOL_VIOLATION_SCORE "!@eq 0" \
#    "phase:2,t:none,log,deny,msg:'Protocol Violations Detected (score %{TX.PROTOCOL_VIOLATION_SCORE}): %{tx.msg}'"