GotRoot rules and Anomaly Scoring mode

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
jags15
Forum User
Forum User
Posts: 5
Joined: Mon Jun 01, 2015 3:12 pm
Location: UK

GotRoot rules and Anomaly Scoring mode

Unread post by jags15 »

Hi all

I am new to Atomicorp products. I have the Gotroot rules subscription and I think the Rules and AUM is brilliant. It makes the whole process much easier and let's me concentrate on looking at the Alerts.

Is it possible to put AUM into Anomaly Scoring mode?

In case Atomicorp calls it something else, what I'm after is for the score of individual rules to be counted up at the end of the transaction. Ultimately I am interested in seeing any "Outbound" rules or Data Leakage rules firing. I've already made the small and easy change of putting AUM in to: SecRuleEngine DetectionOnly. Hopefully I haven't missed anything obvious. I've had a search on the forum and not seen any hits.

Thanks again for a great product. Regards

Jag
jags15
Forum User
Forum User
Posts: 5
Joined: Mon Jun 01, 2015 3:12 pm
Location: UK

Re: GotRoot rules and Anomaly Scoring mode

Unread post by jags15 »

A polite bump. In the hope any one has some insight to offer.
Thanks
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: GotRoot rules and Anomaly Scoring mode

Unread post by scott »

Not in that WAF component directly, in ASL we do make use of anomaly detection in the Threat Intelligence system, the locality sensitive malware upload engine, and event analysis module.

In a big picture sort of way, we rely on the WAF to do what its good at: make very good observations about a stateless event (in IDS speak, we call this an "atomic" event. Meaning one or single... total coincidence to the atomicorp name). Anomaly detection in the IDS world is built on the foundation of analyzing complex or comprehensive events/sources to make a determination. WAFs are good at coming up with really high quality atomic events for something else to do that complex analysis.
jags15
Forum User
Forum User
Posts: 5
Joined: Mon Jun 01, 2015 3:12 pm
Location: UK

Re: GotRoot rules and Anomaly Scoring mode

Unread post by jags15 »

Thanks Scott - that makes sense
Post Reply