fix: use correct variables for anomaly scoring

EsadCetiner · web-flow · commit 55daa7b0e9de · 2025-06-17T20:13:41.000+10:00
diff --git a/plugins/referer-hardening-before.conf b/plugins/referer-hardening-before.conf
@@ -51,7 +51,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^$" \
 SecRule REQUEST_HEADERS:Referer "!@rx (?i)^(?:[a-z][a-z0-9+-.]*://|/|about:blank$)" \
     "id:9524110,\
     phase:2,\
-    pass,\
+    block,\
     t:none,\
     msg:'Invalid Referer header',\
     logdata:'%{MATCHED_VAR}',\
@@ -64,13 +64,13 @@ SecRule REQUEST_HEADERS:Referer "!@rx (?i)^(?:[a-z][a-z0-9+-.]*://|/|about:blank
     ver:'referer-hardening-plugin/1.0.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Fragment component check.
 SecRule REQUEST_HEADERS:Referer "@contains #" \
     "id:9524120,\
     phase:2,\
-    pass,\
+    block,\
     t:none,\
     msg:'Fragment component found within Referer header',\
     logdata:'%{MATCHED_VAR}',\
@@ -83,13 +83,13 @@ SecRule REQUEST_HEADERS:Referer "@contains #" \
     ver:'referer-hardening-plugin/1.0.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Userinfo component check.
 SecRule REQUEST_HEADERS:Referer "@rx (?i)^[a-z][a-z0-9+-.]*://[^/]*@" \
     "id:9524130,\
     phase:2,\
-    pass,\
+    block,\
     t:none,\
     msg:'Userinfo component found within Referer header',\
     logdata:'%{MATCHED_VAR}',\
@@ -102,7 +102,7 @@ SecRule REQUEST_HEADERS:Referer "@rx (?i)^[a-z][a-z0-9+-.]*://[^/]*@" \
     ver:'referer-hardening-plugin/1.0.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Parse URL components (only for non-empty, non-relative referers).
 SecRule REQUEST_HEADERS:Referer "@rx (?i)^[a-z][a-z0-9+-.]*://(?:[^/]*@)?([^/:]+)(?::([^/]+))?([^?]+)?(?:\?(.+))?$" \
@@ -127,7 +127,7 @@ SecRule REQUEST_HEADERS:Referer "@rx (?i)^[a-z][a-z0-9+-.]*://(?:[^/]*@)?([^/:]+
 SecRule REQUEST_HEADERS:Referer "@rx (?i)^data:" \
     "id:9524150,\
     phase:2,\
-    pass,\
+    block,\
     capture,\
     t:none,\
     msg:'Data URI detected in Referer header',\
@@ -141,12 +141,12 @@ SecRule REQUEST_HEADERS:Referer "@rx (?i)^data:" \
     ver:'referer-hardening-plugin/1.0.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:referer-hardening-plugin_domain_name "@gt 253" \
     "id:9524160,\
     phase:2,\
-    pass,\
+    block,\
     capture,\
     t:none,t:length,\
     msg:'Domain name within Referer header is too long',\
@@ -160,12 +160,12 @@ SecRule TX:referer-hardening-plugin_domain_name "@gt 253" \
     ver:'referer-hardening-plugin/1.0.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:referer-hardening-plugin_domain_name "!@rx (?i)^[a-z0-9\-.]+$" \
     "id:9524170,\
     phase:2,\
-    pass,\
+    block,\
     capture,\
     t:none,\
     msg:'Invalid domain name within Referer header',\
@@ -179,12 +179,12 @@ SecRule TX:referer-hardening-plugin_domain_name "!@rx (?i)^[a-z0-9\-.]+$" \
     ver:'referer-hardening-plugin/1.0.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:referer-hardening-plugin_port "!@rx ^$" \
     "id:9524180,\
     phase:2,\
-    pass,\
+    block,\
     capture,\
     t:none,\
     msg:'Invalid port within Referer header',\
@@ -200,12 +200,12 @@ SecRule TX:referer-hardening-plugin_port "!@rx ^$" \
     chain"
     SecRule TX:referer-hardening-plugin_port "!@rx ^[0-9]+$" \
         "setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:referer-hardening-plugin_port "@gt 65535" \
     "id:9524190,\
     phase:2,\
-    pass,\
+    block,\
     capture,\
     t:none,\
     msg:'Invalid port within Referer header',\
@@ -219,7 +219,7 @@ SecRule TX:referer-hardening-plugin_port "@gt 65535" \
     ver:'referer-hardening-plugin/1.0.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecMarker "END-REFERER-HARDENING-PLUGIN-PL1"
 
@@ -237,7 +237,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:9524014,phase:2,pass,nolog,ver:'
 SecRule REQUEST_HEADERS:Referer "@rx ^$" \
     "id:9524200,\
     phase:2,\
-    pass,\
+    block,\
     t:none,\
     msg:'Empty Referer header',\
     tag:'application-multi',\
@@ -249,7 +249,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^$" \
     ver:'referer-hardening-plugin/1.0.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
