HEX
Server: LiteSpeed
System: Linux spg20.cloudpowerdns.com 5.14.0-611.35.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Feb 25 03:46:09 EST 2026 x86_64
User: carrerup (3153)
PHP: 8.1.33
Disabled: NONE
Upload Files
File: //opt/bitninja-waf3/coreruleset/rules/RESPONSE-980-CORRELATION.conf
# ------------------------------------------------------------------------
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# This file is used in post processing after the response has been sent to
# the client (in the logging phase).  Its purpose is to provide inbound+outbound
# correlation of events to provide a more intelligent designation as to the outcome
# or result of the transaction - meaning, was this a successful attack?
#

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#

# Combine inbound and outbound scores
SecAction \
    "id:980099,\
    phase:5,\
    pass,\
    t:none,\
    nolog,\
    noauditlog,\
    tag:'OWASP_CRS',\
    ver:'OWASP_CRS/4.1.0',\
    setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
    setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
    setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
    setvar:'tx.detection_anomaly_score=+%{tx.detection_outbound_anomaly_score}',\
    setvar:'tx.anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
    setvar:'tx.anomaly_score=+%{tx.blocking_outbound_anomaly_score}'"

#
# -=[ Anomaly Score Reporting ]=-
#

# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"

# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"

# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"

# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"

# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"

# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"

# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"

# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"

# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"

# At this point, the reporting level is 4 and there's a non-zero detection
# score (already established by rule 980043) so fall through to the reporting
# rule.


# Requests that land on the following SecMarker:
# - At reporting level 5 (unconditional reporting)
# - At reporting levels 1-4 when a blocking score exceeds a threshold
# - At reporting levels 2-4 when a detection score exceeds a threshold
# - At reporting levels 3-4 when the total blocking score is greater than zero
# - At reporting level 4 when the total detection score is greater than zero
SecMarker "LOG-REPORTING"

# Inbound and outbound - all requests
SecAction \
    "id:980170,\
    phase:5,\
    pass,\
    t:none,\
    noauditlog,\
    msg:'Anomaly Scores: \
(Inbound Scores: blocking=%{tx.blocking_inbound_anomaly_score}, detection=%{tx.detection_inbound_anomaly_score}, per_pl=%{tx.inbound_anomaly_score_pl1}-%{tx.inbound_anomaly_score_pl2}-%{tx.inbound_anomaly_score_pl3}-%{tx.inbound_anomaly_score_pl4}, threshold=%{tx.inbound_anomaly_score_threshold}) - \
(Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - \
(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
    tag:'reporting',\
    tag:'OWASP_CRS',\
    ver:'OWASP_CRS/4.1.0'"

SecMarker "END-REPORTING"


SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#



SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-980-CORRELATION"