Description
Describe the bug
It seems to me there is a bug in how the variables tx.inbound_anomaly_score
is used.
The variable tx.inbound_anomaly_score
is only set if the condition TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}"
is fulfilled (see Rule 949110) or in case of reputation blocking but this is not relevant here as this might be disabled.
IMO this basically breaks Rule 980120. There, the condition is TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}"
.
The condition of Rule 949110 requires TX:ANOMALY_SCORE
to be larger than tx.inbound_anomaly_score_threshold
for TX:INBOUND_ANOMALY_SCORE
to be set. Rule 980120 requires TX:INBOUND_ANOMALY_SCORE
to be smaller than tx.inbound_anomaly_score_threshold
. But if TX:INBOUND_ANOMALY_SCORE
is smaller than tx.inbound_anomaly_score_threshold
it is likely unset.
The same is not the case for tx.outbound_anomaly_score
as it is calculated differently.
- CRS version (e.g., v3.2.0): v3.3.0