8000 Bug in how the variables `tx.inbound_anomaly_score` is used? · Issue #1896 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Bug in how the variables tx.inbound_anomaly_score is used? #1896
Closed
@studersi

Description

@studersi

Describe the bug

It seems to me there is a bug in how the variables tx.inbound_anomaly_score is used.

The variable tx.inbound_anomaly_score is only set if the condition TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" is fulfilled (see Rule 949110) or in case of reputation blocking but this is not relevant here as this might be disabled.

IMO this basically breaks Rule 980120. There, the condition is TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}".

The condition of Rule 949110 requires TX:ANOMALY_SCORE to be larger than tx.inbound_anomaly_score_threshold for TX:INBOUND_ANOMALY_SCORE to be set. Rule 980120 requires TX:INBOUND_ANOMALY_SCORE to be smaller than tx.inbound_anomaly_score_threshold. But if TX:INBOUND_ANOMALY_SCORE is smaller than tx.inbound_anomaly_score_threshold it is likely unset.

The same is not the case for tx.outbound_anomaly_score as it is calculated differently.

  • CRS version (e.g., v3.2.0): v3.3.0

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    0