File: //usr/local/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf.off
# ------------------------------------------------------------------------
# OWASP CRS ver.4.17.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2025 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# This file is used in post processing after the response has been sent to
# the client (in the logging phase). Its purpose is to provide inbound+outbound
# correlation of events to provide a more intelligent designation as to the outcome
# or result of the transaction - meaning, was this a successful attack?
#
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# Combine inbound and outbound scores
SecAction \
"id:980099,\
phase:5,\
pass,\
t:none,\
nolog,\
noauditlog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.17.0-dev',\
setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
setvar:'tx.detection_anomaly_score=+%{tx.detection_outbound_anomaly_score}',\
setvar:'tx.anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
setvar:'tx.anomaly_score=+%{tx.blocking_outbound_anomaly_score}'"
#
# -=[ Anomaly Score Reporting ]=-
#
# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-REPORTING"
# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:LOG-REPORTING"
# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-REPORTING"
# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:LOG-REPORTING"
# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-REPORTING"
# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:LOG-REPORTING"
# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-REPORTING"
# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:LOG-REPORTING"
# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-REPORTING"
# At this point, the reporting level is 4 and there's a non-zero detection
# score (already established by rule 980043) so fall through to the reporting
# rule.
# Requests that land on the following SecMarker:
# - At reporting level 5 (unconditional reporting)
# - At reporting levels 1-4 when a blocking score exceeds a threshold
# - At reporting levels 2-4 when a detection score exceeds a threshold
# - At reporting levels 3-4 when the total blocking score is greater than zero
# - At reporting level 4 when the total detection score is greater than zero
SecMarker "LOG-REPORTING"
# Inbound and outbound - all requests
SecAction \
"id:980170,\
phase:5,\
pass,\
t:none,\
noauditlog,\
msg:'Anomaly Scores: \
(Inbound Scores: blocking=%{tx.blocking_inbound_anomaly_score}, detection=%{tx.detection_inbound_anomaly_score}, per_pl=%{tx.inbound_anomaly_score_pl1}-%{tx.inbound_anomaly_score_pl2}-%{tx.inbound_anomaly_score_pl3}-%{tx.inbound_anomaly_score_pl4}, threshold=%{tx.inbound_anomaly_score_threshold}) - \
(Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - \
(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
tag:'reporting',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.17.0-dev'"
SecMarker "END-REPORTING"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.17.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-980-CORRELATION"