­
OWASP ModSecurity Core Rule Set (CRS): (3) – The Anomaly Scoring Advantage | Christian Folini - All Articles - CISO Platform

All Articles

OWASP ModSecurity Core Rule Set (CRS): (3) – The Anomaly Scoring Advantage | Christian Folini

Posted by Biswajit Banerjee on March 31, 2025 at 8:29pm in Blog
OWASP ModSecurity Core Rule Set (CRS): (3) – The Anomaly Scoring Advantage | Christian Folini

Imagine walking into a crowded airport where security checks every bag. Some bags trigger an alert and are flagged. Security pauses and asks: “Is this dangerous or just an innocent traveler carrying metal in their pockets?” Now, picture this in the digital world. Every web request is like a passenger, and anomaly scoring in ModSecurity Core Rule Set (CRS) is the sharp-eyed security guard deciding what goes through and what gets stopped.

 

 

What Is Anomaly Scoring?

Most Web Application Firewalls (WAFs) act like traffic lights. They give a simple go or stop. Good traffic passes, and bad traffic gets blocked. But anomaly scoring changes the game. Instead of saying “block” or “allow” based on one rule, it looks at everything happening.

  • Every detection rule adds a score.

  • Higher scores mean more suspicious activity.

  • Once the score crosses a threshold, action is taken.

Why This Matters

Blocking or allowing traffic based on one event is risky. False positives pile up. The system gets overwhelmed. The result? Legitimate requests get flagged, and attackers sneak through. Anomaly scoring adds layers. It looks at multiple signals before deciding. This makes it easier to manage false positives while keeping the bad guys out.

 

Breaking Down the Anomaly Scoring Process

Here’s how it unfolds:

 

1. Detection Before Blocking

Anomaly scoring separates detection from blocking. It gives time to analyze before stopping traffic. Hundreds of rules inspect requests and assign scores.

  • SQL injections? +5 points.

  • XSS attempts? Another +5.

  • More hits? The score goes up.

2. Threshold Control

Each request starts at zero. As suspicious activity is detected, the score builds. Once it crosses a defined threshold (let’s say 15), ModSecurity decides whether to block or allow it.

  • Below threshold: Pass.

  • Above threshold: Block.

The False Positive Problem

Here’s where things get tricky. When moving to production, many choose to start in monitoring mode. It’s like watching traffic but not stopping anything. This helps catch false positives. But when those pile up? It’s overwhelming. Imagine sorting through 100,000 alerts just to figure out what's real.

Anomaly scoring solves this. It lets security teams refine and fine-tune thresholds without blocking legitimate traffic.

 

A Smarter Way to Fine-Tune Security

1. Start High, Lower Gradually

Think of anomaly scoring like adjusting the volume on a speaker. You don’t start with it blaring at full blast.

  • Day 1: Start at a very high threshold—say 10,000.

  • Slowly reduce it over time, perhaps to 100.

  • Each step reveals patterns and reduces false positives.

2. Iterative Tuning

With every iteration, it’s easier to see the troublemakers. Fine-tuning means looking at requests scoring 100 or higher, analyzing what triggered them, and adjusting accordingly.

 

3. Reduce Thresholds in Phases

Drop the threshold step by step:

  • From 10,000 to 100.

  • From 100 to 50.

  • Gradually, down to 5.

At 20, real security kicks in. Real attacks get blocked while false positives drop.

 

The Power of Small Wins

Every time the threshold drops, more false positives disappear. By focusing on the highest-scoring requests, the team clears the noise.

  • 80% of false positives get handled in the first iteration.

  • By the time the threshold hits 20, critical attacks are blocked.

Trust Through Iteration

Anomaly scoring isn’t just about blocking attacks. It’s about building confidence in your system. Step by step, thresholds lower, but the system stays stable. Nobody calls the helpdesk screaming about broken forms or blocked registrations.

  • Iteration 1: Big wins.

  • Iteration 2: Sharper controls.

  • Iteration 3: Real security with fewer false alarms.

Why Anomaly Scoring Is a Game-Changer

1. Flexibility in Production

You’re not guessing. The system learns as it goes. Traffic is analyzed, refined, and adjusted to protect real users without breaking functionality.

2. Lower Risk, Higher Accuracy

False positives go down. Real attacks get caught. Everyone wins.

3. Human-Centric Approach

Instead of relying solely on machines, anomaly scoring empowers security teams to fine-tune and iterate over time.

 

Getting to the Finish Line

The goal? A crisp, sharp system where one bad request triggers a block. The path to get there isn’t immediate but careful and measured. It takes about 4-6 iterations before reaching this optimal state.

  • Confidence grows with every phase.

  • False positives shrink.

  • The system becomes an invisible shield, protecting without interfering.

Final Thoughts

Anomaly scoring is not magic. It’s a well-defined, practical approach to securing web applications. By analyzing requests, assigning scores, and adjusting thresholds gradually, organizations gain better protection without upsetting users.

So, next time you think about web application security, remember: it’s not just about stopping the bad. It’s about learning, adjusting, and growing stronger—just like anomaly scoring does, step by step.

Join CISO Platform — the CyberSecurity Community
Gain exclusive insights from top security professionals and access cutting-edge research.
Join Now

By: Christian Folini (Teacher and Security Engineer, Partner, Netnea.com)

Views: 20
Tags: owasp, anomaly scoring, modsecurity, christian folini
E-mail me when people leave their comments –
Follow

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

City Round Table Meetup - Mumbai, Bangalore, Delhi, Chennai, Pune, Kolkata

Apr 15, 2025 at 8:00am to May 15, 2025 at 10:00am UTC+5.5
India
  • Description:
    CISO Playbook Round Table Overview : 
    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology Implementation: From…
  • Created by: Biswajit Banerjee
  • Tags: ciso, playbook, round table

CISO Cocktail Reception At RSAConference, San Francisco 2025 !

Apr 29, 2025 from 5:45pm to 9:00pm PDT
San Francisco, America
  • Description:

    We are thrilled to invite you to the CISO Cocktail Reception At RSA Conference San Francisco 2025 !

    The yacht party is hosted by EC-Council, with CISO Platform and FireCompass serving as community partners.

    Event Details : 

    • Date: Tuesday, April 29th, 2025
    • Location: Docking from SF/China Basin
    • Time: Boarding at 5:45 PM | Cruise: 6:00 - 9:00 PM

    Agenda : 

    • Premium…
  • Created by: Biswajit Banerjee
  • Tags: ciso, usa, san francisco, rsaconference 2025

Round Table Dubai 2025 | GISEC

May 8, 2025 from 6:00pm to 9:00pm UTC+04
Dubai
  • Description:
    CISO Playbook Round Table Overview : 

    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology…
  • Created by: Biswajit Banerjee