All Articles

OWASP ModSecurity Core Rule Set (CRS): (3) – The Anomaly Scoring Advantage | Christian Folini

Posted by Biswajit Banerjee on March 31, 2025 at 8:29pm in Blog
OWASP ModSecurity Core Rule Set (CRS): (3) – The Anomaly Scoring Advantage | Christian Folini

Imagine walking into a crowded airport where security checks every bag. Some bags trigger an alert and are flagged. Security pauses and asks: “Is this dangerous or just an innocent traveler carrying metal in their pockets?” Now, picture this in the digital world. Every web request is like a passenger, and anomaly scoring in ModSecurity Core Rule Set (CRS) is the sharp-eyed security guard deciding what goes through and what gets stopped.

 

 

What Is Anomaly Scoring?

Most Web Application Firewalls (WAFs) act like traffic lights. They give a simple go or stop. Good traffic passes, and bad traffic gets blocked. But anomaly scoring changes the game. Instead of saying “block” or “allow” based on one rule, it looks at everything happening.

  • Every detection rule adds a score.

  • Higher scores mean more suspicious activity.

  • Once the score crosses a threshold, action is taken.

Why This Matters

Blocking or allowing traffic based on one event is risky. False positives pile up. The system gets overwhelmed. The result? Legitimate requests get flagged, and attackers sneak through. Anomaly scoring adds layers. It looks at multiple signals before deciding. This makes it easier to manage false positives while keeping the bad guys out.

 

Breaking Down the Anomaly Scoring Process

Here’s how it unfolds:

 

1. Detection Before Blocking

Anomaly scoring separates detection from blocking. It gives time to analyze before stopping traffic. Hundreds of rules inspect requests and assign scores.

  • SQL injections? +5 points.

  • XSS attempts? Another +5.

  • More hits? The score goes up.

2. Threshold Control

Each request starts at zero. As suspicious activity is detected, the score builds. Once it crosses a defined threshold (let’s say 15), ModSecurity decides whether to block or allow it.

  • Below threshold: Pass.

  • Above threshold: Block.

The False Positive Problem

Here’s where things get tricky. When moving to production, many choose to start in monitoring mode. It’s like watching traffic but not stopping anything. This helps catch false positives. But when those pile up? It’s overwhelming. Imagine sorting through 100,000 alerts just to figure out what's real.

Anomaly scoring solves this. It lets security teams refine and fine-tune thresholds without blocking legitimate traffic.

 

A Smarter Way to Fine-Tune Security

1. Start High, Lower Gradually

Think of anomaly scoring like adjusting the volume on a speaker. You don’t start with it blaring at full blast.

  • Day 1: Start at a very high threshold—say 10,000.

  • Slowly reduce it over time, perhaps to 100.

  • Each step reveals patterns and reduces false positives.

2. Iterative Tuning

With every iteration, it’s easier to see the troublemakers. Fine-tuning means looking at requests scoring 100 or higher, analyzing what triggered them, and adjusting accordingly.

 

3. Reduce Thresholds in Phases

Drop the threshold step by step:

  • From 10,000 to 100.

  • From 100 to 50.

  • Gradually, down to 5.

At 20, real security kicks in. Real attacks get blocked while false positives drop.

 

The Power of Small Wins

Every time the threshold drops, more false positives disappear. By focusing on the highest-scoring requests, the team clears the noise.

  • 80% of false positives get handled in the first iteration.

  • By the time the threshold hits 20, critical attacks are blocked.

Trust Through Iteration

Anomaly scoring isn’t just about blocking attacks. It’s about building confidence in your system. Step by step, thresholds lower, but the system stays stable. Nobody calls the helpdesk screaming about broken forms or blocked registrations.

  • Iteration 1: Big wins.

  • Iteration 2: Sharper controls.

  • Iteration 3: Real security with fewer false alarms.

Why Anomaly Scoring Is a Game-Changer

1. Flexibility in Production

You’re not guessing. The system learns as it goes. Traffic is analyzed, refined, and adjusted to protect real users without breaking functionality.

2. Lower Risk, Higher Accuracy

False positives go down. Real attacks get caught. Everyone wins.

3. Human-Centric Approach

Instead of relying solely on machines, anomaly scoring empowers security teams to fine-tune and iterate over time.

 

Getting to the Finish Line

The goal? A crisp, sharp system where one bad request triggers a block. The path to get there isn’t immediate but careful and measured. It takes about 4-6 iterations before reaching this optimal state.

  • Confidence grows with every phase.

  • False positives shrink.

  • The system becomes an invisible shield, protecting without interfering.

Final Thoughts

Anomaly scoring is not magic. It’s a well-defined, practical approach to securing web applications. By analyzing requests, assigning scores, and adjusting thresholds gradually, organizations gain better protection without upsetting users.

So, next time you think about web application security, remember: it’s not just about stopping the bad. It’s about learning, adjusting, and growing stronger—just like anomaly scoring does, step by step.

Join CISO Platform — the CyberSecurity Community
Gain exclusive insights from top security professionals and access cutting-edge research.
Join Now

By: Christian Folini (Teacher and Security Engineer, Partner, Netnea.com)

Views: 195
Tags: owasp, anomaly scoring, modsecurity, christian folini
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Biswajit Banerjee

Community Manager, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

6 City Round Table On "New Guidelines & CISO Priorities for 2025" (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Dec 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
India
  • Description:

    We are pleased to invite you to an exclusive roundtable series hosted by CISO Platform in partnership with FireCompass. The roundtable will focus on "New Guidelines & CISO Priorities for 2025"

    Date: December 1st - December 31st 2025

    Venue: Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata

    >> Register Here

  • Created by: Biswajit Banerjee

Fireside Chat With Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.)

Jan 10, 2026 from 4:30pm to 5:00pm
Online
  • Description:

    We’re excited to bring you an insightful fireside chat with Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.) and Erik Laird (Vice President - North America, FireCompass). 

    About Sandro:

    Sandro Bucchianeri is an award-winning global cybersecurity leader with over 25…

  • Created by: Biswajit Banerjee
  • Tags: ciso, sandro bucchianeri, nab