Configurability of Collaborative Detection Severity Levels for OWASP Core Rule Set

Author: FlatKey

README.md

@@ -1738,6 +1738,10 @@ ${modsec\_dir}/activated\_rules.
 - `anomaly_score_blocking`: De-/Activates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set. Default: off.
 - `inbound_anomaly_threshold`: Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '5'.
 - `outbound_anomaly_threshold`: Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '4'.
+- `critical_anomaly_score`: Sets the scoring points of the critical severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '5'.
+- `error_anomaly_score`: Sets the scoring points of the error severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '4'.
+- `warning_anomaly_score`: Sets the scoring points of the warning severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '3'.
+- `notice_anomaly_score`: Sets the scoring points of the notice severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '2'.
 
 ##### Class: `apache::mod::wsgi`
 

manifests/mod/security.pp

@@ -1,19 +1,23 @@
 class apache::mod::security (
-  $crs_package           = $::apache::params::modsec_crs_package,
-  $activated_rules       = $::apache::params::modsec_default_rules,
-  $modsec_dir            = $::apache::params::modsec_dir,
-  $modsec_secruleengine  = $::apache::params::modsec_secruleengine,
-  $audit_log_parts       = $::apache::params::modsec_audit_log_parts,
-  $secpcrematchlimit = $::apache::params::secpcrematchlimit,
+  $crs_package                = $::apache::params::modsec_crs_package,
+  $activated_rules            = $::apache::params::modsec_default_rules,
+  $modsec_dir                 = $::apache::params::modsec_dir,
+  $modsec_secruleengine       = $::apache::params::modsec_secruleengine,
+  $audit_log_parts            = $::apache::params::modsec_audit_log_parts,
+  $secpcrematchlimit          = $::apache::params::secpcrematchlimit,
   $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion,
-  $allowed_methods       = 'GET HEAD POST OPTIONS',
-  $content_types         = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
-  $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
-  $restricted_headers    = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
+  $allowed_methods            = 'GET HEAD POST OPTIONS',
+  $content_types              = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
+  $restricted_extensions      = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
+  $restricted_headers         = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
   $secdefaultaction           = 'deny',
   $anomaly_score_blocking     = 'off',
   $inbound_anomaly_threshold  = '5',
   $outbound_anomaly_threshold = '4',
+  $critical_anomaly_score     = '5',
+  $error_anomaly_score        = '4',
+  $warning_anomaly_score      = '3',
+  $notice_anomaly_score       = '2',
 ) inherits ::apache::params {
   include ::apache
 

templates/mod/security_crs.conf.erb

@@ -89,10 +89,10 @@ SecAction \
   "id:'900001', \
   phase:1, \
   t:none, \
-  setvar:tx.critical_anomaly_score=5, \
-  setvar:tx.error_anomaly_score=4, \
-  setvar:tx.warning_anomaly_score=3, \
-  setvar:tx.notice_anomaly_score=2, \
+  setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \
+  setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \
+  setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \
+  setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>, \
   nolog, \
   pass"