Chapter 13

Passive Response Actions

Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive.

—Sun Tzu in The Art of War

Passive response actions are any changes or actions made as a result of detection rules that the end user cannot directly perceive. These actions have no direct impact on the user or his or her web application session. These scenarios often are not severe enough to warrant any active or intrusive response actions. These responses may simply provide information to third-party systems or security personnel for further review.

Recipe 13-1: Tracking Anomaly Scores
This recipe shows you how to utilize anomaly scoring to track suspicious behavior across multiple requests.
Ingredients
  • ModSecurity
    • TX:ANOMALY_SCORE variable
    • IP:ANOMALY_SCORE variable
    • SESSION:ANOMALY_SCORE variable
    • @gt operator
    • @ge operator
    • @lt operator
    • setvar action
    • initcol action
    • setsid action
Per-Transaction Anomaly Scores
Many detection recipes in Part II showed examples of using transactional anomaly scores. This is done by using the ModSecurity setvar action to increment the anomaly_score variable in the transient TX collection. Here is an example taken from the modsecurity_crs_41_sql_injection.conf file: 
# # -=[ SQL Tautologies ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/| REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \ "(?i:([\s'\"'´''\(\)]*)([\d\w]++)([\s'\"'´''\(\)]*)(?:(?:=|<=>|r?lik e|sounds\s+like|regexp)([\s'\"'´''\(\)]*)\2|(?:!=|<=|>=|<>|<|>|\^|is ...

Get Web Application Defender's Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial