{"id":951,"date":"2016-10-11T09:20:37","date_gmt":"2016-10-11T07:20:37","guid":{"rendered":"http:\/\/www.netnea.com\/cms\/?page_id=951"},"modified":"2026-01-22T08:57:11","modified_gmt":"2026-01-22T07:57:11","slug":"apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set","status":"publish","type":"page","link":"https:\/\/www.netnea.com\/cms\/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set\/","title":{"rendered":"Handling False Positives with the OWASP ModSecurity Core Rule Set"},"content":{"rendered":"\n<h2 id=\"handling-false-positives-with-the-owasp-modsecurity-core-rule-set\">Handling False Positives with the OWASP ModSecurity Core Rule Set<\/h2>\n<p><strong>This tutorial is currently undergoing the transition from CRS3 to CRS4, some things may fail to work as advertised. Christian Folini 2026-01-22<\/strong><\/p>\n<h3 id=\"what-are-we-doing\">What are we doing?<\/h3>\n<p>We will take a vanilla installation of the <em>OWASP ModSecurity Core Rule Set<\/em> (CRS) troubled by a large number of false positives and tune away the unwelcome alarms, so we get a clearer view on the real attackers.<\/p>\n<h3 id=\"why-are-we-doing-this\">Why are we doing this?<\/h3>\n<p>A fresh installation of the CRS will typically have some false alarms. In some cases, namely at higher paranoia levels, there can be thousands of them. In the <a href=\"https:\/\/www.netnea.com\/cms\/apache-tutorial-7_including-modsecurity-core-rules\/\">previous tutorial<\/a>, we saw a number of approaches for suppressing individual false alarms with the help of rule exclusions. What we\u2019re missing is a strategy for coping with false alarms on a scale and this tutorial will show you one. It is obvious, reducing the number of false alarms is the prerequisite for lowering the CRS anomaly threshold and this, in turn, is required in order to use <em>ModSecurity<\/em> to actually ward off attackers. And only after the false alarms really are disabled, or at least curtailed to a large extent, do we get a clear picture of the real attackers.<\/p>\n<p>During the tutorial we will also learn to use a handy tool that will assist you with the writing of rule exclusions.<\/p>\n<h3 id=\"requirements\">Requirements<\/h3>\n<ul>\n<li>An Apache web server, ideally one created using the file structure shown in <a href=\"https:\/\/www.netnea.com\/cms\/apache-tutorial-1_compiling-apache\/\">Tutorial 1 (Compiling an Apache web server)<\/a>.<\/li>\n<li>Understanding of the minimal configuration from <a href=\"https:\/\/www.netnea.com\/cms\/apache-tutorial-2_minimal-apache-configuration\/\">Tutorial 2 (Configuring a minimal Apache server)<\/a>.<\/li>\n<li>An Apache web server with SSL\/TLS support as shown in <a href=\"https:\/\/www.netnea.com\/cms\/apache-tutorial-4_configuring-ssl-tls\/\">Tutorial 4 (Configuring an SSL server)<\/a>.<\/li>\n<li>An Apache web server with extended access log as shown in <a href=\"https:\/\/www.netnea.com\/cms\/apache-tutorial-5\/apache-tutorial-5_extending-access-log\/\">Tutorial 5 (Extending and analyzing the access log)<\/a>.<\/li>\n<li>An Apache web server with ModSecurity as shown in <a href=\"https:\/\/www.netnea.com\/cms\/apache-tutorial-6\/apache-tutorial-6_embedding-modsecurity\/\">Tutorial 6 (Embedding ModSecurity)<\/a>.<\/li>\n<li>An Apache web server with the Core Rule Set, as shown in <a href=\"https:\/\/www.netnea.com\/cms\/apache-tutorial-7_including-modsecurity-core-rules\/\">Tutorial 7 (Including the Core Rule Set)<\/a><\/li>\n<\/ul>\n<p>There is no point in learning to fight false positives on a lab server without traffic. What you need is a real set of false alarms. I have prepared a script that performs 10,000 requests against a host. The requests are extracted from a browser session and transformed into curl requests so you can run them easily. When used against CRS v3.3.2, you will get exactly the alerts, this tutorial is based on.<\/p>\n<p>If you do not want to run the script yourself, then you can also download the example logs from my run.<\/p>\n<ul>\n<li><a href=\"https:\/\/www.netnea.com\/files\/10K-traffic-generator.sh\">10K-traffic-generator.sh<\/a><\/li>\n<li><a href=\"https:\/\/www.netnea.com\/files\/tutorial-8-example-access.log\">tutorial-8-example-access.log<\/a><\/li>\n<li><a href=\"https:\/\/www.netnea.com\/files\/tutorial-8-example-error.log\">tutorial-8-example-error.log<\/a><\/li>\n<\/ul>\n<p>How did I arrive with this traffic generator script? After all, it is difficult to provide real production logs for an exercise due to all the sensitive data in the logs. So, I went and created false positives from scratch in my browser. With the Core Rule Set 2.2.x, this would have been simple, but with the 3.3 release (3.3.2 to be exact), most of the false positives in the default install are now gone. What I did was set the CRS to Paranoia Level 4 and then install a local Drupal site. Afterwards, I published a couple of articles about SQL injections and then read the articles in the browser, combined with the casual search for individual SQL statements. And this, I repeated up to 10,000 requests. All very harmless in reality, but very alarming for CRS.<\/p>\n<p>Drupal and the core rules are not really in a loving relationship. Whenever the two software packages meet, they tend to have a falling out with each other, since CRS is so pedantic and Drupal\u2019s habit of having square brackets in parameter names drives CRS crazy. However, the default CRS3 installation at Paranoia Level 1 and especially the optional Drupel rule exclusion package (see the <code>crs-setup.conf<\/code> file and <a href=\"https:\/\/www.netnea.com\/cms\/2016\/11\/22\/securing-drupal-with-modsecurity-and-the-core-rule-set-crs3\/\">this blog post<\/a> for details) wards off almost all of the remaining false positives with a core Drupal installation.<\/p>\n<p>But things look completely different when you do not use these exclusion rules. And if you raise the Paranoia Level to 4, you will get plenty of false positives. For the 10,000 requests in my test run, I received over 28,000 false alarms and I expect the same number for your setup. That should do for a training session.<\/p>\n<h3 id=\"step-1-defining-a-policy-to-fight-false-positives\">Step 1: Defining a Policy to Fight False Positives<\/h3>\n<p>The problem with false positives is they can flood you like an avalanche and you won\u2019t know where to start to clean up. What you need is a plan and there is no official documentation proposing one. So here we go: This is my recommended approach to fighting false alarms:<\/p>\n<ul>\n<li>Always work in blocking mode<\/li>\n<li>Highest scoring requests go first<\/li>\n<li>Work in several iterations<\/li>\n<\/ul>\n<p>What does that mean? The default installation comes in blocking mode and with an anomaly threshold of 5 for the requests. This is a very good configuration, but it\u2019s an overambitious start on an existing production server. The risk is that a false positive raises an alarm, the wrong customer is affected, a phone call to a manager ensues and you are forced to switch off the Web Application Firewall immediately. In many installations I have seen, this was the end of the story.<\/p>\n<p>Don\u2019t let a badly tuned system catch you like this. Instead, start with a high threshold for the anomaly score on a new installation to test the water. Let\u2019s say 10,000 for the requests and also 10,000 for the responses for symmetry\u2019s sake (in practice, the responses do not score very high). That way no customer is ever going to be blocked, while you get reports of false alarms and enough time to weed them out.<\/p>\n<p>If you have a proper testing program, this is all performed during an extensive testing phase, so the service never hits production without a strict configuration. But if you start with ModSecurity on an existing production service, starting out with a high threshold in production is the preferred method with minimal interruption to existing customers (zero impact, if you work diligently).<\/p>\n<p>The problem with integrating ModSecurity in production is the fact that false positives and real alarms are intermixed. In order to tune your installation, you need to separate the two groups to really work on the false positives alone. This is not always easy. Manual review helps, restricting to known IP addresses, pre-authentication, testing\/tuning on a test system separated from the internet, filtering the access log by country of origin for the IP address, etc\u2026 It\u2019s a large topic and making general recommendations is difficult. But please do take this seriously. Years ago, I demonstrated the exclusion of a false positive in a workshop &#8211; and the example alarm I used turned out to be a real attack. Needless to say, I learned my lesson.<\/p>\n<p>There is another question that we need to get out of the way: Doesn\u2019t disabling rules actually lower the security of the site? Yes it does, but we need to keep things in perspective. In an ideal setup, all rules would be intact, the paranoia level would be very high (thus over 200 rules in place) and the anomaly limit very low. Still, the application would run without any problems or false alarms. This sounds too good to be true because in practice, this won\u2019t work outside of the rarest of cases. If we raise the anomaly threshold, then the alerts are still there, but the attackers are no longer affected. If we reduce the paranoia level, we disable dozens of rules with one setting. If we talk to the developers about changing their software so that the false positives go away, we spend a lot of time arguing without much chance of success (at least in my experience). So disabling a single rule from a set of 200 rules is the best of all the bad solutions. The worst of all the bad solutions would be to disable ModSecurity altogether. And outcome is very real in many organizations absent tangible results in terms of security. So I would rather disable individual rules based on a false positive than run the risk of being forced to kill the WAF.<\/p>\n<h3 id=\"step-2-getting-an-overview\">Step 2: Getting an Overview<\/h3>\n<p>The character of the application, the paranoia level and the amount of traffic all influence the amount of false positives you get in your logs. In the first run, a couple of thousand or one hundred thousand requests will do. Once you have that in your access log, it\u2019s time to take a look. Let\u2019s get an overview of the situation: Let\u2019s look at the example logs!<\/p>\n<p>There is the ModSecurity Audit log of course, but I rarely look at it unless I have a very specific interest. For most of the cases, the ModSecurity alert message in the error log is all I need. But this is not where I start. Let\u2019s look looking at the access log first. We defined the log format in a way that gives us the anomaly scores for every request and that\u2019s exactly what we will be using at this stage.<\/p>\n<p>In the previous tutorial, we used the script <a href=\"https:\/\/www.netnea.com\/files\/modsec-positive-stats.rb\">modsec-positive-stats.rb<\/a>. We return to this script with the example access log as the source and the alias <code>alscores<\/code> that is part of the alias package introduced in tutorial number 5; it extracts the incoming and outgoing anomaly score of a request, separated by a semicolon:<\/p>\n<div class=\"sourceCode\" id=\"cb1\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb1-1\"><a href=\"#cb1-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-access.log <span class=\"kw\">|<\/span> <span class=\"ex\">alscores<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">modsec-positive-stats.rb<\/span><\/span>\n<span id=\"cb1-2\"><a href=\"#cb1-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span>                     Num of req. <span class=\"kw\">|<\/span> <span class=\"ex\">%<\/span> of req. <span class=\"kw\">|<\/span>  <span class=\"ex\">Sum<\/span> of % <span class=\"kw\">|<\/span> <span class=\"ex\">Missing<\/span> %<\/span>\n<span id=\"cb1-3\"><a href=\"#cb1-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">Number<\/span> of incoming req. (total) <span class=\"kw\">|<\/span>  <span class=\"ex\">10000<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb1-4\"><a href=\"#cb1-4\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb1-5\"><a href=\"#cb1-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">Empty<\/span> or miss. incoming score   <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span><\/span>\n<span id=\"cb1-6\"><a href=\"#cb1-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   0 <span class=\"kw\">|<\/span>   <span class=\"ex\">5014<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">50.1399%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">50.1399%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">49.8601%<\/span><\/span>\n<span id=\"cb1-7\"><a href=\"#cb1-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   1 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">50.1399%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">49.8601%<\/span><\/span>\n<span id=\"cb1-8\"><a href=\"#cb1-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   2 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">50.1399%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">49.8601%<\/span><\/span>\n<span id=\"cb1-9\"><a href=\"#cb1-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   3 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">50.1399%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">49.8601%<\/span><\/span>\n<span id=\"cb1-10\"><a href=\"#cb1-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   4 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">50.1399%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">49.8601%<\/span><\/span>\n<span id=\"cb1-11\"><a href=\"#cb1-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   5 <span class=\"kw\">|<\/span>   <span class=\"ex\">3562<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">35.6200%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7599%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2401%<\/span><\/span>\n<span id=\"cb1-12\"><a href=\"#cb1-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   6 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7599%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2401%<\/span><\/span>\n<span id=\"cb1-13\"><a href=\"#cb1-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   7 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7599%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2401%<\/span><\/span>\n<span id=\"cb1-14\"><a href=\"#cb1-14\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   8 <span class=\"kw\">|<\/span>      <span class=\"ex\">1<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0100%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2300%<\/span><\/span>\n<span id=\"cb1-15\"><a href=\"#cb1-15\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   9 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2300%<\/span><\/span>\n<span id=\"cb1-16\"><a href=\"#cb1-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  10 <span class=\"kw\">|<\/span>      <span class=\"ex\">2<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0200%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-17\"><a href=\"#cb1-17\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  11 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-18\"><a href=\"#cb1-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  12 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-19\"><a href=\"#cb1-19\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  13 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-20\"><a href=\"#cb1-20\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  14 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-21\"><a href=\"#cb1-21\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  15 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-22\"><a href=\"#cb1-22\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  16 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-23\"><a href=\"#cb1-23\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  17 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-24\"><a href=\"#cb1-24\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  18 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-25\"><a href=\"#cb1-25\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  19 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">85.7899%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">14.2101%<\/span><\/span>\n<span id=\"cb1-26\"><a href=\"#cb1-26\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  20 <span class=\"kw\">|<\/span>     <span class=\"ex\">41<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.4100%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8001%<\/span><\/span>\n<span id=\"cb1-27\"><a href=\"#cb1-27\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  21 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8001%<\/span><\/span>\n<span id=\"cb1-28\"><a href=\"#cb1-28\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  22 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8001%<\/span><\/span>\n<span id=\"cb1-29\"><a href=\"#cb1-29\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  23 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8001%<\/span><\/span>\n<span id=\"cb1-30\"><a href=\"#cb1-30\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  24 <span class=\"kw\">|<\/span>     <span class=\"ex\">50<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.5000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.6999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.3001%<\/span><\/span>\n<span id=\"cb1-31\"><a href=\"#cb1-31\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  25 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.6999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.3001%<\/span><\/span>\n<span id=\"cb1-32\"><a href=\"#cb1-32\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  26 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.6999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.3001%<\/span><\/span>\n<span id=\"cb1-33\"><a href=\"#cb1-33\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  27 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.6999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.3001%<\/span><\/span>\n<span id=\"cb1-34\"><a href=\"#cb1-34\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  28 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.6999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.3001%<\/span><\/span>\n<span id=\"cb1-35\"><a href=\"#cb1-35\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  29 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.6999%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.3001%<\/span><\/span>\n<span id=\"cb1-36\"><a href=\"#cb1-36\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  30 <span class=\"kw\">|<\/span>     <span class=\"ex\">76<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">87.4599%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">12.5401%<\/span><\/span>\n<span id=\"cb1-37\"><a href=\"#cb1-37\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  31 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">87.4599%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">12.5401%<\/span><\/span>\n<span id=\"cb1-38\"><a href=\"#cb1-38\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  32 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">87.4599%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">12.5401%<\/span><\/span>\n<span id=\"cb1-39\"><a href=\"#cb1-39\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  33 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">87.4599%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">12.5401%<\/span><\/span>\n<span id=\"cb1-40\"><a href=\"#cb1-40\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  34 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">87.4599%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">12.5401%<\/span><\/span>\n<span id=\"cb1-41\"><a href=\"#cb1-41\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  35 <span class=\"kw\">|<\/span>     <span class=\"ex\">76<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2200%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7800%<\/span><\/span>\n<span id=\"cb1-42\"><a href=\"#cb1-42\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  36 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2200%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7800%<\/span><\/span>\n<span id=\"cb1-43\"><a href=\"#cb1-43\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  37 <span class=\"kw\">|<\/span>      <span class=\"ex\">5<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0500%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-44\"><a href=\"#cb1-44\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  38 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-45\"><a href=\"#cb1-45\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  39 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-46\"><a href=\"#cb1-46\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  40 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-47\"><a href=\"#cb1-47\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  41 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-48\"><a href=\"#cb1-48\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  42 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-49\"><a href=\"#cb1-49\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  43 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-50\"><a href=\"#cb1-50\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  44 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-51\"><a href=\"#cb1-51\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  45 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-52\"><a href=\"#cb1-52\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  46 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-53\"><a href=\"#cb1-53\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  47 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-54\"><a href=\"#cb1-54\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  48 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-55\"><a href=\"#cb1-55\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  49 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-56\"><a href=\"#cb1-56\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  50 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-57\"><a href=\"#cb1-57\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  51 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-58\"><a href=\"#cb1-58\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  52 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-59\"><a href=\"#cb1-59\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  53 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-60\"><a href=\"#cb1-60\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  54 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-61\"><a href=\"#cb1-61\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  55 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-62\"><a href=\"#cb1-62\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  56 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-63\"><a href=\"#cb1-63\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  57 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-64\"><a href=\"#cb1-64\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  58 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-65\"><a href=\"#cb1-65\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  59 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-66\"><a href=\"#cb1-66\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  60 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-67\"><a href=\"#cb1-67\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  61 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-68\"><a href=\"#cb1-68\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  62 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-69\"><a href=\"#cb1-69\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  63 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-70\"><a href=\"#cb1-70\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  64 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-71\"><a href=\"#cb1-71\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  65 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-72\"><a href=\"#cb1-72\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  66 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-73\"><a href=\"#cb1-73\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  67 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-74\"><a href=\"#cb1-74\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  68 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-75\"><a href=\"#cb1-75\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  69 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-76\"><a href=\"#cb1-76\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  70 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-77\"><a href=\"#cb1-77\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  71 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-78\"><a href=\"#cb1-78\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  72 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-79\"><a href=\"#cb1-79\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  73 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">88.2700%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">11.7300%<\/span><\/span>\n<span id=\"cb1-80\"><a href=\"#cb1-80\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  74 <span class=\"kw\">|<\/span>    <span class=\"ex\">388<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">3.8800%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.1499%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.8501%<\/span><\/span>\n<span id=\"cb1-81\"><a href=\"#cb1-81\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  75 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.1499%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.8501%<\/span><\/span>\n<span id=\"cb1-82\"><a href=\"#cb1-82\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  76 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.1499%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.8501%<\/span><\/span>\n<span id=\"cb1-83\"><a href=\"#cb1-83\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  77 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.1499%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.8501%<\/span><\/span>\n<span id=\"cb1-84\"><a href=\"#cb1-84\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  78 <span class=\"kw\">|<\/span>     <span class=\"ex\">76<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9100%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0900%<\/span><\/span>\n<span id=\"cb1-85\"><a href=\"#cb1-85\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  79 <span class=\"kw\">|<\/span>      <span class=\"ex\">1<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0100%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-86\"><a href=\"#cb1-86\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  80 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-87\"><a href=\"#cb1-87\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  81 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-88\"><a href=\"#cb1-88\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  82 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-89\"><a href=\"#cb1-89\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  83 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-90\"><a href=\"#cb1-90\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  84 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-91\"><a href=\"#cb1-91\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  85 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-92\"><a href=\"#cb1-92\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  86 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-93\"><a href=\"#cb1-93\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  87 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-94\"><a href=\"#cb1-94\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  88 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-95\"><a href=\"#cb1-95\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  89 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-96\"><a href=\"#cb1-96\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  90 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-97\"><a href=\"#cb1-97\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  91 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-98\"><a href=\"#cb1-98\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  92 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">92.9200%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0800%<\/span><\/span>\n<span id=\"cb1-99\"><a href=\"#cb1-99\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  93 <span class=\"kw\">|<\/span>    <span class=\"ex\">701<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.0100%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-100\"><a href=\"#cb1-100\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  94 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-101\"><a href=\"#cb1-101\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  95 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-102\"><a href=\"#cb1-102\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  96 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-103\"><a href=\"#cb1-103\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  97 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-104\"><a href=\"#cb1-104\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  98 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-105\"><a href=\"#cb1-105\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  99 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-106\"><a href=\"#cb1-106\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 100 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-107\"><a href=\"#cb1-107\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 101 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-108\"><a href=\"#cb1-108\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 102 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-109\"><a href=\"#cb1-109\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 103 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-110\"><a href=\"#cb1-110\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 104 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-111\"><a href=\"#cb1-111\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 105 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-112\"><a href=\"#cb1-112\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 106 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-113\"><a href=\"#cb1-113\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 107 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-114\"><a href=\"#cb1-114\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 108 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-115\"><a href=\"#cb1-115\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 109 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-116\"><a href=\"#cb1-116\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 110 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-117\"><a href=\"#cb1-117\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 111 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-118\"><a href=\"#cb1-118\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 112 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-119\"><a href=\"#cb1-119\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 113 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-120\"><a href=\"#cb1-120\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 114 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-121\"><a href=\"#cb1-121\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 115 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-122\"><a href=\"#cb1-122\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 116 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-123\"><a href=\"#cb1-123\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 117 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-124\"><a href=\"#cb1-124\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 118 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-125\"><a href=\"#cb1-125\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 119 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-126\"><a href=\"#cb1-126\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 120 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-127\"><a href=\"#cb1-127\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 121 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-128\"><a href=\"#cb1-128\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 122 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-129\"><a href=\"#cb1-129\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 123 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-130\"><a href=\"#cb1-130\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 124 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-131\"><a href=\"#cb1-131\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 125 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-132\"><a href=\"#cb1-132\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 126 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-133\"><a href=\"#cb1-133\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 127 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-134\"><a href=\"#cb1-134\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 128 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-135\"><a href=\"#cb1-135\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 129 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-136\"><a href=\"#cb1-136\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 130 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-137\"><a href=\"#cb1-137\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 131 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-138\"><a href=\"#cb1-138\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 132 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-139\"><a href=\"#cb1-139\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 133 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-140\"><a href=\"#cb1-140\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 134 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-141\"><a href=\"#cb1-141\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 135 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-142\"><a href=\"#cb1-142\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 136 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-143\"><a href=\"#cb1-143\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 137 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-144\"><a href=\"#cb1-144\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 138 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-145\"><a href=\"#cb1-145\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 139 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-146\"><a href=\"#cb1-146\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 140 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-147\"><a href=\"#cb1-147\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 141 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-148\"><a href=\"#cb1-148\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 142 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-149\"><a href=\"#cb1-149\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 143 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9300%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0700%<\/span><\/span>\n<span id=\"cb1-150\"><a href=\"#cb1-150\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 144 <span class=\"kw\">|<\/span>      <span class=\"ex\">1<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0100%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-151\"><a href=\"#cb1-151\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 145 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-152\"><a href=\"#cb1-152\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 146 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-153\"><a href=\"#cb1-153\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 147 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-154\"><a href=\"#cb1-154\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 148 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-155\"><a href=\"#cb1-155\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 149 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-156\"><a href=\"#cb1-156\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 150 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-157\"><a href=\"#cb1-157\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 151 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-158\"><a href=\"#cb1-158\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 152 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-159\"><a href=\"#cb1-159\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 153 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-160\"><a href=\"#cb1-160\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 154 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-161\"><a href=\"#cb1-161\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 155 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-162\"><a href=\"#cb1-162\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 156 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-163\"><a href=\"#cb1-163\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 157 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-164\"><a href=\"#cb1-164\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 158 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-165\"><a href=\"#cb1-165\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 159 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-166\"><a href=\"#cb1-166\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 160 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-167\"><a href=\"#cb1-167\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 161 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-168\"><a href=\"#cb1-168\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 162 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-169\"><a href=\"#cb1-169\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 163 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-170\"><a href=\"#cb1-170\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 164 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-171\"><a href=\"#cb1-171\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 165 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-172\"><a href=\"#cb1-172\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 166 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-173\"><a href=\"#cb1-173\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 167 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-174\"><a href=\"#cb1-174\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 168 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-175\"><a href=\"#cb1-175\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 169 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-176\"><a href=\"#cb1-176\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 170 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span><\/span>\n<span id=\"cb1-177\"><a href=\"#cb1-177\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of 171 <span class=\"kw\">|<\/span>      <span class=\"ex\">6<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0600%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb1-178\"><a href=\"#cb1-178\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb1-179\"><a href=\"#cb1-179\" aria-hidden=\"true\"><\/a><span class=\"ex\">Incoming<\/span> average:  12.6065    Median   0.0000    Standard deviation  27.5065<\/span>\n<span id=\"cb1-180\"><a href=\"#cb1-180\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb1-181\"><a href=\"#cb1-181\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb1-182\"><a href=\"#cb1-182\" aria-hidden=\"true\"><\/a><span class=\"ex\">OUTGOING<\/span>                     Num of req. <span class=\"kw\">|<\/span> <span class=\"ex\">%<\/span> of req. <span class=\"kw\">|<\/span>  <span class=\"ex\">Sum<\/span> of % <span class=\"kw\">|<\/span> <span class=\"ex\">Missing<\/span> %<\/span>\n<span id=\"cb1-183\"><a href=\"#cb1-183\" aria-hidden=\"true\"><\/a><span class=\"ex\">Number<\/span> of outgoing req. (total) <span class=\"kw\">|<\/span>  <span class=\"ex\">10000<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb1-184\"><a href=\"#cb1-184\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb1-185\"><a href=\"#cb1-185\" aria-hidden=\"true\"><\/a><span class=\"ex\">Empty<\/span> or miss. outgoing score   <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span><\/span>\n<span id=\"cb1-186\"><a href=\"#cb1-186\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with outgoing score of   0 <span class=\"kw\">|<\/span>  <span class=\"ex\">10000<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb1-187\"><a href=\"#cb1-187\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb1-188\"><a href=\"#cb1-188\" aria-hidden=\"true\"><\/a><span class=\"ex\">Outgoing<\/span> average:   0.0000    Median   0.0000    Standard deviation   0.0000<\/span><\/code><\/pre><\/div>\n<p>So we have 10,000 requests and about half of them pass without raising an alarm. Over 3,500 requests come in with an anomaly score of 5 and of the remaining requests form two distinct anomaly score clusters around 74 and 93. Then there is a very long tail with the highest group of requests scoring 171. That\u2019s more than 30 critical alerts on a single request (a critical alert gives 5 points, 30 critical alerts will thus score 150). Wow!<\/p>\n<p>Let\u2019s visualize this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/files\/tutorial-8-distribution-untuned.png\" alt=\"Untuned Distribution\" width=\"950\" height=\"550\" \/><\/p>\n<p><em>A quick overview over the stats generated above<\/em><\/p>\n<p>This is only a graph cobbled together on the fly. But it shows the problem that most requests are located near the left. They did not score at all, or they scored exactly 5 points. But there requests with higher scores and there is even a handful of outliers beyond the frame on the right. So where do we start?<\/p>\n<p>We start with the request returning the highest anomaly score, we start on the right side of the graph! This makes sense because we are in blocking mode and we would like to reduce the threshold. The group of requests standing in our way are the six requests with a score of 171 and the single request with a score of 144. Let\u2019s write rule exclusions to suppress the alarms leading to these scores, because it\u2019s these 7 requests that stop us from reducing the anomaly threshold from 10,000 to say 100.<\/p>\n<h3 id=\"step-3-the-first-batch-of-rule-exclusions\">Step 3: The first batch of rule exclusions<\/h3>\n<p>In order to find out what rules stand behind the anomaly scores 144 and 171, we need to link the access log to the error log. The unique request ID is this link:<\/p>\n<div class=\"sourceCode\" id=\"cb2\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb2-1\"><a href=\"#cb2-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">egrep<\/span> <span class=\"st\">&quot; (144|171) [0-9-]+$&quot;<\/span> tutorial-8-example-access.log <span class=\"kw\">|<\/span> <span class=\"ex\">alreqid<\/span> <span class=\"kw\">|<\/span> <span class=\"fu\">tee<\/span> ids<\/span>\n<span id=\"cb2-2\"><a href=\"#cb2-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">YOLwPjVthd6oCpPp2VVvSwAAAAI<\/span><\/span>\n<span id=\"cb2-3\"><a href=\"#cb2-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">YOLwcTVthd6oCpPp2VVw1wAAABE<\/span><\/span>\n<span id=\"cb2-4\"><a href=\"#cb2-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">YOLwcTVthd6oCpPp2VVw1gAAABU<\/span><\/span>\n<span id=\"cb2-5\"><a href=\"#cb2-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">YOLwcTVthd6oCpPp2VVw1gAAABc<\/span><\/span>\n<span id=\"cb2-6\"><a href=\"#cb2-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">YOLwcTVthd6oCpPp2VVw1wAAABY<\/span><\/span>\n<span id=\"cb2-7\"><a href=\"#cb2-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">YOLwcTVthd6oCpPp2VVw1wAAAAc<\/span><\/span>\n<span id=\"cb2-8\"><a href=\"#cb2-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">YOLwcTVthd6oCpPp2VVw1wAAAAg<\/span><\/span><\/code><\/pre><\/div>\n<p>With this one-liner, we <em>grep<\/em> for the requests with incoming anomaly score 144 or 171. We know it is the second item from the end of the log line. The final value is the outgoing anomaly score. In our case, all responses scored 0, but theoretically, this value could be any number or undefined (-&gt; <code>-<\/code>) so it is generally a good practice to write the pattern this way. The alias <em>alreqid<\/em> extracts the unique ID and <em>tee<\/em> will show us the IDs and write them to the file <em>ids<\/em> at the same time.<\/p>\n<p>We can then take the IDs in this file and use them to extract the alerts belonging to the requests we\u2019re focused on. We use <code>grep -f<\/code> to perform this step. The <code>-F<\/code> flag tells <em>grep<\/em> that our pattern file is actually a list of fixed strings separated by newlines. Thus equipped, <em>grep<\/em> is a lot more efficient than without the <code>-F<\/code> flag for files larger than the one in question. The <em>melidmsg<\/em> alias extracts the ID and the message explaining the alert. Combining both is very helpful. The already familiar <em>sucs<\/em> alias is then used to sum it all up:<\/p>\n<div class=\"sourceCode\" id=\"cb3\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb3-1\"><a href=\"#cb3-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error.log  <span class=\"kw\">|<\/span> <span class=\"ex\">melidmsg<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb3-2\"><a href=\"#cb3-2\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">6<\/span> 942450 SQL Hex Encoding Identified<\/span>\n<span id=\"cb3-3\"><a href=\"#cb3-3\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">7<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:ids[])<\/span>\n<span id=\"cb3-4\"><a href=\"#cb3-4\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">35<\/span> 942431 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (6)<\/span><\/span>\n<span id=\"cb3-5\"><a href=\"#cb3-5\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">110<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb3-6\"><a href=\"#cb3-6\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">150<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span><\/code><\/pre><\/div>\n<p>So these are the culprits: These are the rules driving the anomaly score of said seven requests to the heights we encountered. Let\u2019s go through them one by one.<\/p>\n<p>942450 SQL Hex Encoding Identified looks for strings of the pattern <code>0x<\/code> with two additional hexadecimal digits. This is a hexadecimal encoding which can point to an exploit being used. The problem with this encoding is that session cookies can sometimes contain this pattern. Session cookies are randomly generated strings and at times you get this pattern in such an identifier. When you do, there is this paranoia level 2 rule that looks for hexadecimal encoding assuming it might be used to sneak past our ruleset. This is a false positive in a very classical way.<\/p>\n<p>921180 HTTP Parameter Pollution is a rule that identifies when a parameter (<em>ids[]<\/em> here) is submitted more than once within the same request. It\u2019s an advanced rule which appeared in the CRS3 for the first time (based on a mechanic I developed). Drupal seems to exhibit this behavior and we can hardly instruct it to stop it.<\/p>\n<p>942431 Restricted SQL Character Anomaly Detection and 942432 are closely related. We call these siblings. They form a group with 942430, the base rule looking for 12 special characters like square brackets, colons, semicolons, asterisks, etc. (paranoia level 2). 942431 is a strict sibling and executes the same check, but with a limit of 6 characters at paranoia level 3 and finally the paranoid zealot in the family, 942432, is going crazy after the 2nd special character (paranoia level 4).<\/p>\n<p>Rule 920273 Invalid character in request is pretty much self explanatory. It\u2019s a very strict rule at paranoia level 4 and it fights special characters fiercly.<\/p>\n<p>So this is what we are facing for our first tuning round.<\/p>\n<p>Let\u2019s look at the rule exclusion cheat sheet from the previous tutorial again. It illustrates the four basic ways to handle a false positive. This is going to be our guide as we work through them.<\/p>\n<p><a href=\"https:\/\/www.netnea.com\/cms\/rule-exclusion-cheatsheet-download\/\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.netnea.com\/files\/tutorial-7-rule-exclusion-cheatsheet_small.png\" alt=\"Rule Exclusion CheatSheet\" width=\"476\" height=\"673\" \/><\/a><\/p>\n<p><em>Click the cheet sheet to get to the download of the large version<\/em><\/p>\n<p>Let\u2019s start with a simple case: 920273 Invalid character in request. We could look at this in great detail and check out all the different parameters triggering this rule. Depending on the security level we want to provide for our application, this would be the right approach. But this is only an exercise and the numbers for this rule are staggering, so we will keep it simple: Let\u2019s kick this rule out completely. We\u2019ll opt for a startup rule (to be placed after the CRS include) that remove the rule 920273 from the memory of the WAF.<\/p>\n<div class=\"sourceCode\" id=\"cb4\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb4-1\"><a href=\"#cb4-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># === ModSec Core Rule Set: Config Time Exclusion Rules (no ids)<\/span><\/span>\n<span id=\"cb4-2\"><a href=\"#cb4-2\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb4-3\"><a href=\"#cb4-3\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 920273 : Invalid character in request (outside of very strict set)<\/span><\/span>\n<span id=\"cb4-4\"><a href=\"#cb4-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleRemoveById<\/span> 920273<\/span><\/code><\/pre><\/div>\n<p>I suggest you always add at least a minimal comment where you describe what you are doing and also name the rule, since most people won\u2019t know the rule IDs by heart.<\/p>\n<p>Next are the alerts for 942432 Restricted SQL Character Anomaly Detection. Let\u2019s take a closer look.<\/p>\n<div class=\"sourceCode\" id=\"cb5\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb5-1\"><a href=\"#cb5-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error.log  <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 942432 <span class=\"kw\">|<\/span> <span class=\"ex\">melmatch<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb5-2\"><a href=\"#cb5-2\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">75<\/span> ARGS:ids[]<\/span>\n<span id=\"cb5-3\"><a href=\"#cb5-3\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">75<\/span> ARGS_NAMES:ids[]<\/span><\/code><\/pre><\/div>\n<p>Drupal obviously uses square brackets within the parameter name. This is not limited to IDs, but a general pattern. Two square brackets are enough to trigger the rule, so this sets off a lot of false alarms. Running after all occurrences would be very tedious, so we will kick this rule out as well (remember, it\u2019s a paranoia level 4 rule and a more relaxed version of this rule exists at PL3).<\/p>\n<div class=\"sourceCode\" id=\"cb6\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb6-1\"><a href=\"#cb6-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942432 : Restricted SQL Character Anomaly Detection (args): <\/span><\/span>\n<span id=\"cb6-2\"><a href=\"#cb6-2\" aria-hidden=\"true\"><\/a><span class=\"co\"># number of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb6-3\"><a href=\"#cb6-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleRemoveById<\/span> 942432<\/span><\/code><\/pre><\/div>\n<p>The next one is 942450. This is the rule looking for traces of hex encoding. This is a peculiar case as we can easily see:<\/p>\n<div class=\"sourceCode\" id=\"cb7\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb7-1\"><a href=\"#cb7-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error.log  <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 942450 <span class=\"kw\">|<\/span> <span class=\"ex\">melmatch<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb7-2\"><a href=\"#cb7-2\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">6<\/span> REQUEST_COOKIES:98febd3dhf84de73ab2e32889dc5f0x032a9<\/span>\n<span id=\"cb7-3\"><a href=\"#cb7-3\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">6<\/span> REQUEST_COOKIES_NAMES:SESS29af1facda0a866a687d5055f0x034ca<\/span><\/code><\/pre><\/div>\n<p>As expected, it\u2019s a session cookie, but unexpectedly, the session cookie has a dynamic name on top! This means we can not simply ignore the session cookie by name, we would need to ignore cookies whose name matches a certain pattern and this is something ModSecurity does not allow us to do. The only viable approach from my perspective is to have this rule ignore all cookies. This way, the rule is still intact for post and query string parameters, but it does not trigger on cookies anymore. That\u2019s not ideal, but the best we can do in this situation. So unlike the previous rule exclusions, we limit our exclusion at two parameters (ModSecurity collections is the correct term) and leave the rest of the rule intact. On the cheat sheet, this is the bottom left option; another startup rule exclusion but one that leaves the rule itself intact.<\/p>\n<div class=\"sourceCode\" id=\"cb8\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb8-1\"><a href=\"#cb8-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942450 : SQL Hex Encoding Identified (severity: 5 CRITICAL)<\/span><\/span>\n<span id=\"cb8-2\"><a href=\"#cb8-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 942450 <span class=\"st\">&quot;!REQUEST_COOKIES&quot;<\/span><\/span>\n<span id=\"cb8-3\"><a href=\"#cb8-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 942450 <span class=\"st\">&quot;!REQUEST_COOKIES_NAMES&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>Two more to go: 921180 HTTP Parameter Pollution and 942431 Restricted SQL Character Anomaly Detection. Let\u2019s try and work in a more diligent way here. We no longer throw out the entire rule and we do not want to exclude parameters from the application of the rule entirely. Instead, we limit the rule exclusion to a certain URI pattern. That means, we will construct a rule exclusion that depends on the request in question; a runtime rule exclusion. On the cheat sheet, this is the right column.<\/p>\n<p>As you can also see on the cheat sheet, these are very hard to do by hand. That\u2019s why I have developed a script that comes to your help. Please download <a href=\"https:\/\/www.netnea.com\/files\/modsec-rulereport.rb\">modsec-rulereport.rb<\/a> and put it into your <code>bin<\/code> folder. Try out the <code>--help<\/code> option of the script to get an idea of what it can do for you.<\/p>\n<p>Here is how I use it to generate a rule exclusion for 942431: First I take a look at the alert again:<\/p>\n<div class=\"sourceCode\" id=\"cb9\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb9-1\"><a href=\"#cb9-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 942431 <span class=\"kw\">|<\/span> <span class=\"ex\">melmatch<\/span> <\/span>\n<span id=\"cb9-2\"><a href=\"#cb9-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">ARGS<\/span>:ids[]<\/span>\n<span id=\"cb9-3\"><a href=\"#cb9-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">ARGS<\/span>:ids[]<\/span>\n<span id=\"cb9-4\"><a href=\"#cb9-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">ARGS<\/span>:ids[]<\/span>\n<span id=\"cb9-5\"><a href=\"#cb9-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span>\n<span id=\"cb9-6\"><a href=\"#cb9-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">ARGS<\/span>:ids[]<\/span><\/code><\/pre><\/div>\n<p>So the parameter <code>ids[]<\/code> is affected. And it\u2019s always the same URI:<\/p>\n<div class=\"sourceCode\" id=\"cb10\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb10-1\"><a href=\"#cb10-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 942431 <span class=\"kw\">|<\/span> <span class=\"ex\">meluri<\/span> <\/span>\n<span id=\"cb10-2\"><a href=\"#cb10-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">\/drupal\/index.php\/contextual\/render<\/span><\/span>\n<span id=\"cb10-3\"><a href=\"#cb10-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">\/drupal\/index.php\/contextual\/render<\/span><\/span>\n<span id=\"cb10-4\"><a href=\"#cb10-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">\/drupal\/index.php\/contextual\/render<\/span><\/span>\n<span id=\"cb10-5\"><a href=\"#cb10-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span>\n<span id=\"cb10-6\"><a href=\"#cb10-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">\/drupal\/index.php\/contextual\/render<\/span><\/span><\/code><\/pre><\/div>\n<p>So it\u2019s a perfect use case for a runtime rule exclusion that ignores parameter <code>ids[]<\/code> on <code>\/drupal\/index.php\/contextual\/render<\/code>. Here is how to use the script to do this:<\/p>\n<div class=\"sourceCode\" id=\"cb11\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb11-1\"><a href=\"#cb11-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 942431 <span class=\"kw\">|<\/span> <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb11-2\"><a href=\"#cb11-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">modsec-rulereport.rb<\/span> --runtime --target --byid<\/span>\n<span id=\"cb11-3\"><a href=\"#cb11-3\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942431 : Restricted SQL Character Anomaly Detection (args): \u2026<\/span><\/span>\n<span id=\"cb11-4\"><a href=\"#cb11-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/contextual\/render&quot;<\/span><\/span>\n<span id=\"cb11-5\"><a href=\"#cb11-5\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10000,ctl:ruleRemoveTargetById=942431;ARGS:ids[]&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>This output is config code. You can copy it over to your Apache \/ ModSecurity configuration as is, ideally together with the comment. Important: This has to be placed above the CRS include in the configuration file. If you place it afterwards, there is a chance the rule has already been executed the moment you issue the rule exclusion. So as a rule of thumb, runtime rule exclusions are always defined before the include, startup rule exclusions are defined after the include.<\/p>\n<p>If we accept this rule exclusion proposal as our new config, then there is only 921180 HTTP Parameter Pollution left. The script gives us the following:<\/p>\n<div class=\"sourceCode\" id=\"cb12\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb12-1\"><a href=\"#cb12-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 921180 <span class=\"kw\">|<\/span> <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb12-2\"><a href=\"#cb12-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">modsec-rulereport.rb<\/span> --runtime --target --byid<\/span>\n<span id=\"cb12-3\"><a href=\"#cb12-3\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ids[])<\/span><\/span>\n<span id=\"cb12-4\"><a href=\"#cb12-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/contextual\/render&quot;<\/span><\/span>\n<span id=\"cb12-5\"><a href=\"#cb12-5\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10000,ctl:ruleRemoveTargetById=921180;TX:paramcounter_ARGS_NAMES:ids[]&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>We can copy this over to the config again, but there is a twist. If we take it as is, there is going to be a rule collision as the script issued the new rule with ID 10000 again. Let\u2019s change that to 10001 and enter it as follows:<\/p>\n<div class=\"sourceCode\" id=\"cb13\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb13-1\"><a href=\"#cb13-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ids[])<\/span><\/span>\n<span id=\"cb13-2\"><a href=\"#cb13-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/contextual\/render&quot;<\/span><\/span>\n<span id=\"cb13-3\"><a href=\"#cb13-3\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10001,ctl:ruleRemoveTargetById=921180;TX:paramcounter_ARGS_NAMES:ids[]&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>If you do not want to tweak with the rule ID by hand, then you can also pass the desired base rule ID as a command line parameter <code>--baseruleid<\/code> or &#8211; even better still &#8211; make sure the script saves the rule ID and starts the next run with the rule ID it finds from the previous run. Look up the help page of the script to learn how this works.<\/p>\n<h3 id=\"step-4-reducing-the-anomaly-score-threshold\">Step 4: Reducing the anomaly score threshold<\/h3>\n<p>We have tuned away the alerts leading to the highest anomaly scores. Actually, anything above 100 is now gone. In a production setup, I would deploy the updated configuration and observe the behaviour a bit. If the high scores are really gone, then it is time to reduce the anomaly limit. A typical first step is from 10,000 to 100. Then we do more rules exclusions, reduce to 50 or so, then to 20, 10 and 5. In fact, a limit of 5 is really strong (first critical alert blocks a request), but for sites with less security needs, a limit of 10 might just be good enough. Anything above does not really block attackers.<\/p>\n<p>But before we get there, we need to add a few more rule exclusions.<\/p>\n<h3 id=\"step-5-the-second-batch-of-rule-exclusions\">Step 5: The second batch of rule exclusions<\/h3>\n<p>After the first batch of rule exclusions, we would observe the service. In our exercise, we can speed up the process and run the <code>10K-traffic-generator.sh<\/code> script again (Don\u2019t forget to restart your webserver after having added the rule exclusions in step 3 above).<\/p>\n<p>Here for your discretion the log files I got with the rule exclusions defined above:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.netnea.com\/files\/tutorial-8-example-access-round-2.log\">tutorial-8-example-access-round-2.log<\/a><\/li>\n<li><a href=\"https:\/\/www.netnea.com\/files\/tutorial-8-example-error-round-2.log\">tutorial-8-example-error-round-2.log<\/a><\/li>\n<\/ul>\n<p>We start again with a look at the score distribution:<\/p>\n<div class=\"sourceCode\" id=\"cb14\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb14-1\"><a href=\"#cb14-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-access-round-2.log <span class=\"kw\">|<\/span> <span class=\"ex\">alscores<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">modsec-positive-stats.rb<\/span><\/span>\n<span id=\"cb14-2\"><a href=\"#cb14-2\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb14-3\"><a href=\"#cb14-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span>                     Num of req. <span class=\"kw\">|<\/span> <span class=\"ex\">%<\/span> of req. <span class=\"kw\">|<\/span>  <span class=\"ex\">Sum<\/span> of % <span class=\"kw\">|<\/span> <span class=\"ex\">Missing<\/span> %<\/span>\n<span id=\"cb14-4\"><a href=\"#cb14-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">Number<\/span> of incoming req. (total) <span class=\"kw\">|<\/span>  <span class=\"ex\">10000<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb14-5\"><a href=\"#cb14-5\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb14-6\"><a href=\"#cb14-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">Empty<\/span> or miss. incoming score   <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span><\/span>\n<span id=\"cb14-7\"><a href=\"#cb14-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   0 <span class=\"kw\">|<\/span>   <span class=\"ex\">8612<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1199%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1199%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8801%<\/span><\/span>\n<span id=\"cb14-8\"><a href=\"#cb14-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   1 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1199%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8801%<\/span><\/span>\n<span id=\"cb14-9\"><a href=\"#cb14-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   2 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1199%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8801%<\/span><\/span>\n<span id=\"cb14-10\"><a href=\"#cb14-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   3 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1199%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8801%<\/span><\/span>\n<span id=\"cb14-11\"><a href=\"#cb14-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   4 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">86.1199%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">13.8801%<\/span><\/span>\n<span id=\"cb14-12\"><a href=\"#cb14-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   5 <span class=\"kw\">|<\/span>    <span class=\"ex\">736<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">7.3600%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">93.4799%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">6.5201%<\/span><\/span>\n<span id=\"cb14-13\"><a href=\"#cb14-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   6 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">93.4799%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">6.5201%<\/span><\/span>\n<span id=\"cb14-14\"><a href=\"#cb14-14\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   7 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">93.4799%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">6.5201%<\/span><\/span>\n<span id=\"cb14-15\"><a href=\"#cb14-15\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   8 <span class=\"kw\">|<\/span>    <span class=\"ex\">388<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">3.8800%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.3599%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.6401%<\/span><\/span>\n<span id=\"cb14-16\"><a href=\"#cb14-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   9 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.3599%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.6401%<\/span><\/span>\n<span id=\"cb14-17\"><a href=\"#cb14-17\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  10 <span class=\"kw\">|<\/span>     <span class=\"ex\">36<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.3600%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-18\"><a href=\"#cb14-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  11 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-19\"><a href=\"#cb14-19\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  12 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-20\"><a href=\"#cb14-20\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  13 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-21\"><a href=\"#cb14-21\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  14 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-22\"><a href=\"#cb14-22\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  15 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-23\"><a href=\"#cb14-23\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  16 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-24\"><a href=\"#cb14-24\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  17 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-25\"><a href=\"#cb14-25\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  18 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-26\"><a href=\"#cb14-26\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  19 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-27\"><a href=\"#cb14-27\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  20 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-28\"><a href=\"#cb14-28\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  21 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-29\"><a href=\"#cb14-29\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  22 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-30\"><a href=\"#cb14-30\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  23 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-31\"><a href=\"#cb14-31\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  24 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">97.7199%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">2.2801%<\/span><\/span>\n<span id=\"cb14-32\"><a href=\"#cb14-32\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  25 <span class=\"kw\">|<\/span>     <span class=\"ex\">76<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">98.4799%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">1.5201%<\/span><\/span>\n<span id=\"cb14-33\"><a href=\"#cb14-33\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  26 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">98.4799%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">1.5201%<\/span><\/span>\n<span id=\"cb14-34\"><a href=\"#cb14-34\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  27 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">98.4799%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">1.5201%<\/span><\/span>\n<span id=\"cb14-35\"><a href=\"#cb14-35\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  28 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">98.4799%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">1.5201%<\/span><\/span>\n<span id=\"cb14-36\"><a href=\"#cb14-36\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  29 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">98.4799%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">1.5201%<\/span><\/span>\n<span id=\"cb14-37\"><a href=\"#cb14-37\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  30 <span class=\"kw\">|<\/span>     <span class=\"ex\">76<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-38\"><a href=\"#cb14-38\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  31 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-39\"><a href=\"#cb14-39\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  32 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-40\"><a href=\"#cb14-40\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  33 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-41\"><a href=\"#cb14-41\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  34 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-42\"><a href=\"#cb14-42\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  35 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-43\"><a href=\"#cb14-43\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  36 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-44\"><a href=\"#cb14-44\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  37 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-45\"><a href=\"#cb14-45\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  38 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-46\"><a href=\"#cb14-46\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  39 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-47\"><a href=\"#cb14-47\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  40 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-48\"><a href=\"#cb14-48\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  41 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-49\"><a href=\"#cb14-49\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  42 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-50\"><a href=\"#cb14-50\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  43 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-51\"><a href=\"#cb14-51\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  44 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-52\"><a href=\"#cb14-52\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  45 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-53\"><a href=\"#cb14-53\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  46 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-54\"><a href=\"#cb14-54\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  47 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-55\"><a href=\"#cb14-55\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  48 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-56\"><a href=\"#cb14-56\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  49 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-57\"><a href=\"#cb14-57\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  50 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-58\"><a href=\"#cb14-58\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  51 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-59\"><a href=\"#cb14-59\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  52 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-60\"><a href=\"#cb14-60\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  53 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-61\"><a href=\"#cb14-61\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  54 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-62\"><a href=\"#cb14-62\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  55 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-63\"><a href=\"#cb14-63\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  56 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-64\"><a href=\"#cb14-64\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  57 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-65\"><a href=\"#cb14-65\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  58 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-66\"><a href=\"#cb14-66\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  59 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2400%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span><\/span>\n<span id=\"cb14-67\"><a href=\"#cb14-67\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  60 <span class=\"kw\">|<\/span>     <span class=\"ex\">76<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7600%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb14-68\"><a href=\"#cb14-68\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb14-69\"><a href=\"#cb14-69\" aria-hidden=\"true\"><\/a><span class=\"ex\">Incoming<\/span> average:   1.5884    Median   0.0000    Standard deviation   6.4117<\/span>\n<span id=\"cb14-70\"><a href=\"#cb14-70\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb14-71\"><a href=\"#cb14-71\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb14-72\"><a href=\"#cb14-72\" aria-hidden=\"true\"><\/a><span class=\"ex\">OUTGOING<\/span>                     Num of req. <span class=\"kw\">|<\/span> <span class=\"ex\">%<\/span> of req. <span class=\"kw\">|<\/span>  <span class=\"ex\">Sum<\/span> of % <span class=\"kw\">|<\/span> <span class=\"ex\">Missing<\/span> %<\/span>\n<span id=\"cb14-73\"><a href=\"#cb14-73\" aria-hidden=\"true\"><\/a><span class=\"ex\">Number<\/span> of outgoing req. (total) <span class=\"kw\">|<\/span>  <span class=\"ex\">10000<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb14-74\"><a href=\"#cb14-74\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb14-75\"><a href=\"#cb14-75\" aria-hidden=\"true\"><\/a><span class=\"ex\">Empty<\/span> or miss. outgoing score   <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span><\/span>\n<span id=\"cb14-76\"><a href=\"#cb14-76\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with outgoing score of   0 <span class=\"kw\">|<\/span>  <span class=\"ex\">10000<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb14-77\"><a href=\"#cb14-77\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb14-78\"><a href=\"#cb14-78\" aria-hidden=\"true\"><\/a><span class=\"ex\">Outgoing<\/span> average:   0.0000    Median   0.0000    Standard deviation   0.0000<\/span><\/code><\/pre><\/div>\n<p>If we compare this to the first run of the statistic script, we reduced the mean incoming score from 12.6 to 1.6. This is very impressive in light of just seven requests that we tuned: By focusing on a handful of high scoring requests, we improved the whole service by a lot.<\/p>\n<p>We could expect the high scoring requests of 144 and 171 to be gone, but funnily enough, the cluster at 74 and the one at 93 have also disappeared. We only covered seven requests in the initial tuning, but two clusters with alerts from over 350 requests are completly gone as well. And this is not an exceptional effect. It is the standard behaviour if we work with this tuning method: a few rule exclusions that we derieved from the highest scoring requests will kill with most of the false alarms.<\/p>\n<p>Our next goal is the group of requests with a score of 60 so we can then lower the anomaly score threshold to 50 in the 2nd reduction round. Let\u2019s extract the rule IDs and then examine the alerts a bit.<\/p>\n<div class=\"sourceCode\" id=\"cb15\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb15-1\"><a href=\"#cb15-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">egrep<\/span> <span class=\"st\">&quot; 60 [0-9-]+$&quot;<\/span> tutorial-8-example-access-round-2.log <span class=\"kw\">|<\/span> <span class=\"ex\">alreqid<\/span> <span class=\"op\">&gt;<\/span> ids<\/span>\n<span id=\"cb15-2\"><a href=\"#cb15-2\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error-round-2.log <span class=\"kw\">|<\/span> <span class=\"ex\">melidmsg<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb15-3\"><a href=\"#cb15-3\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">75<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:keys)<\/span>\n<span id=\"cb15-4\"><a href=\"#cb15-4\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">75<\/span> 942100 SQL Injection Attack Detected via libinjection<\/span>\n<span id=\"cb15-5\"><a href=\"#cb15-5\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">150<\/span> 942190 Detects MSSQL code execution and information gathering attempts<\/span>\n<span id=\"cb15-6\"><a href=\"#cb15-6\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">150<\/span> 942200 Detects MySQL comment-\/space-obfuscated injections and backtick termination<\/span>\n<span id=\"cb15-7\"><a href=\"#cb15-7\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">150<\/span> 942260 Detects basic SQL authentication bypass attempts 2\/3<\/span>\n<span id=\"cb15-8\"><a href=\"#cb15-8\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">150<\/span> 942270 Looking for basic sql injection. Common attack string for mysql, oracle and others<\/span>\n<span id=\"cb15-9\"><a href=\"#cb15-9\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">150<\/span> 942480 SQL Injection Attack<\/span><\/code><\/pre><\/div>\n<p>Interestingly, the alerts all happen on the same path:<\/p>\n<div class=\"sourceCode\" id=\"cb16\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb16-1\"><a href=\"#cb16-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error-round-2.log <span class=\"kw\">|<\/span> <span class=\"ex\">meluri<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb16-2\"><a href=\"#cb16-2\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">912<\/span> \/drupal\/index.php\/search\/node<\/span><\/code><\/pre><\/div>\n<p>This path points to a search form and payloads resembling SQL injections. Just what the alerts listed above also indicate. But there is one exception: We have seen rule 921180 HTTP Parameter Pollution before. In the previous tuning round we did a diligent runtime rule exclusion to avoid this rule for parameter <code>ids[]<\/code>. Now it looks like the submission of a certain parameter name multiple time in the same request is one of Drupal\u2019s favorite past times. So the diligent approach is overly tedious and we better give up on that idea and kiss this rule goodbye in our Drupal context:<\/p>\n<div class=\"sourceCode\" id=\"cb17\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb17-1\"><a href=\"#cb17-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution<\/span><\/span>\n<span id=\"cb17-2\"><a href=\"#cb17-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleRemoveById<\/span> 921180<\/span><\/code><\/pre><\/div>\n<p>Don\u2019t forget to remove the previous run time rule exclusion for 921180.<\/p>\n<p>All the other alerts stem from SQL injection rules. But we know this was legitimate traffic: I filled in the forms personally when I searched for SQL statements in the Drupal articles I had posted as an exercise and we are now facing a dilemma: If we suppress the rules, we open a door for SQL injections. If we leave the rules intact and reduce the limit, we will block legitimate traffic. I think it is OK to say that nobody should be using the search form to look for sql statements in our articles. But I could also say that Drupal is smart enough to fight off SQL attacks via the search form. As this is an exercise, this is our position for the moment since a security issue this blatant would have been discovered a long time ago: Let\u2019s trust Drupal on this and exclude these rules in this context.<\/p>\n<p>How could we do this really quick? We could do a rule exclusion based on a tag, since all SQL injection rule share a tag. Here is how we can identify it (make sure you skip 921180 as that\u2019s not an SQLi rule):<\/p>\n<div class=\"sourceCode\" id=\"cb18\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb18-1\"><a href=\"#cb18-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error-round-2.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> -v 921180 <span class=\"kw\">|<\/span> <span class=\"ex\">meltags<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb18-2\"><a href=\"#cb18-2\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">380<\/span> paranoia-level\/1<\/span>\n<span id=\"cb18-3\"><a href=\"#cb18-3\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">456<\/span> paranoia-level\/2<\/span>\n<span id=\"cb18-4\"><a href=\"#cb18-4\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">836<\/span> application-multi<\/span>\n<span id=\"cb18-5\"><a href=\"#cb18-5\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">836<\/span> attack-sqli<\/span>\n<span id=\"cb18-6\"><a href=\"#cb18-6\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">836<\/span> capec\/1000\/152\/248\/66<\/span>\n<span id=\"cb18-7\"><a href=\"#cb18-7\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">836<\/span> language-multi<\/span>\n<span id=\"cb18-8\"><a href=\"#cb18-8\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">836<\/span> OWASP_CRS<\/span>\n<span id=\"cb18-9\"><a href=\"#cb18-9\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">836<\/span> PCI\/6.5.2<\/span>\n<span id=\"cb18-10\"><a href=\"#cb18-10\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">836<\/span> platform-multi<\/span><\/code><\/pre><\/div>\n<p>That\u2019s all sorts of tags, but one we are interested in is <code>attack-sqli<\/code>. Let\u2019s call the helper script with <code>attack-sqli<\/code> as tag parameter:<\/p>\n<div class=\"sourceCode\" id=\"cb19\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb19-1\"><a href=\"#cb19-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error-round-2.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> -v 921180 <span class=\"kw\">|<\/span> <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb19-2\"><a href=\"#cb19-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">modsec-rulereport.rb<\/span> --runtime --target --bytag attack-sqli<\/span>\n<span id=\"cb19-3\"><a href=\"#cb19-3\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942100 via tag attack-sqli: (Msg: SQL Injection Attack Detected via libinjection)<\/span><\/span>\n<span id=\"cb19-4\"><a href=\"#cb19-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/search\/node&quot;<\/span><\/span>\n<span id=\"cb19-5\"><a href=\"#cb19-5\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10000,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:keys&quot;<\/span><\/span>\n<span id=\"cb19-6\"><a href=\"#cb19-6\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb19-7\"><a href=\"#cb19-7\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942190 via tag attack-sqli: (Msg: Detects MSSQL code execution and information \u2026<\/span><\/span>\n<span id=\"cb19-8\"><a href=\"#cb19-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/search\/node&quot;<\/span> <\/span>\n<span id=\"cb19-9\"><a href=\"#cb19-9\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10001,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:keys&quot;<\/span><\/span>\n<span id=\"cb19-10\"><a href=\"#cb19-10\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb19-11\"><a href=\"#cb19-11\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942200 via tag attack-sqli: (Msg: Detects MySQL comment-\/space-obfuscated \u2026<\/span><\/span>\n<span id=\"cb19-12\"><a href=\"#cb19-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/search\/node&quot;<\/span> <\/span>\n<span id=\"cb19-13\"><a href=\"#cb19-13\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10002,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:keys&quot;<\/span><\/span>\n<span id=\"cb19-14\"><a href=\"#cb19-14\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb19-15\"><a href=\"#cb19-15\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942260 via tag attack-sqli: (Msg: Detects basic SQL authentication bypass \u2026<\/span><\/span>\n<span id=\"cb19-16\"><a href=\"#cb19-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/search\/node&quot;<\/span> <\/span>\n<span id=\"cb19-17\"><a href=\"#cb19-17\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10003,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:keys&quot;<\/span><\/span>\n<span id=\"cb19-18\"><a href=\"#cb19-18\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb19-19\"><a href=\"#cb19-19\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942270 via tag attack-sqli: (Msg: Looking for basic sql injection. Common \u2026<\/span><\/span>\n<span id=\"cb19-20\"><a href=\"#cb19-20\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/search\/node&quot;<\/span> <\/span>\n<span id=\"cb19-21\"><a href=\"#cb19-21\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10004,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:keys&quot;<\/span><\/span>\n<span id=\"cb19-22\"><a href=\"#cb19-22\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb19-23\"><a href=\"#cb19-23\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942480 via tag attack-sqli: (Msg: SQL Injection Attack)<\/span><\/span>\n<span id=\"cb19-24\"><a href=\"#cb19-24\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/search\/node&quot;<\/span> <\/span>\n<span id=\"cb19-25\"><a href=\"#cb19-25\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10005,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:keys&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>This is always the same <code>ctl<\/code> statement. So by attempting a rule exclusion by tag name, we get the same rule exclusion for all the individual alerts. The script could be a bit smarter and condense this by itself, but for the time being, we need to do this ourselves to get the desired configuration:<\/p>\n<div class=\"sourceCode\" id=\"cb20\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb20-1\"><a href=\"#cb20-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: All SQLi rules for parameter keys on search form via tag attack-sqli<\/span><\/span>\n<span id=\"cb20-2\"><a href=\"#cb20-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/search\/node&quot;<\/span> <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb20-3\"><a href=\"#cb20-3\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10001,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:keys&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>Since we have removed the runtime rule exclusion for 921180 HTTP Parameter Pollution, the rule ID 921180 is free again. We re-use it for this SQLi rule exclusion.<\/p>\n<p>That\u2019s it for the 2nd tuning round: We cleaned out all the scores above 50. Time to reduce the anomaly threshold to 50, let it rest a bit and then examine the logs for the third batch.<\/p>\n<h3 id=\"step-6-the-third-batch-of-rule-exclusions\">Step 6: The third batch of rule exclusions<\/h3>\n<p>I\u2019ve executed the traffic generator after applying the 2nd batch of rule exclusions. If you want to skip that step, here are the log files I ended up with:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.netnea.com\/files\/tutorial-8-example-access-round-3.log\">tutorial-8-example-access-round-3.log<\/a><\/li>\n<li><a href=\"https:\/\/www.netnea.com\/files\/tutorial-8-example-error-round-3.log\">tutorial-8-example-error-round-3.log<\/a><\/li>\n<\/ul>\n<p>This brings us to the following statistics (this time only printing numbers for the incoming requests):<\/p>\n<div class=\"sourceCode\" id=\"cb21\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb21-1\"><a href=\"#cb21-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-access-round-3.log <span class=\"kw\">|<\/span> <span class=\"ex\">alscores<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">modsec-positive-stats.rb<\/span> --incoming<\/span>\n<span id=\"cb21-2\"><a href=\"#cb21-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span>                     Num of req. <span class=\"kw\">|<\/span> <span class=\"ex\">%<\/span> of req. <span class=\"kw\">|<\/span>  <span class=\"ex\">Sum<\/span> of % <span class=\"kw\">|<\/span> <span class=\"ex\">Missing<\/span> %<\/span>\n<span id=\"cb21-3\"><a href=\"#cb21-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">Number<\/span> of incoming req. (total) <span class=\"kw\">|<\/span>  <span class=\"ex\">10000<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb21-4\"><a href=\"#cb21-4\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb21-5\"><a href=\"#cb21-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">Empty<\/span> or miss. incoming score   <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span><\/span>\n<span id=\"cb21-6\"><a href=\"#cb21-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   0 <span class=\"kw\">|<\/span>   <span class=\"ex\">9535<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">95.3500%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">95.3500%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">4.6500%<\/span><\/span>\n<span id=\"cb21-7\"><a href=\"#cb21-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   1 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">95.3500%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">4.6500%<\/span><\/span>\n<span id=\"cb21-8\"><a href=\"#cb21-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   2 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">95.3500%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">4.6500%<\/span><\/span>\n<span id=\"cb21-9\"><a href=\"#cb21-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   3 <span class=\"kw\">|<\/span>    <span class=\"ex\">388<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">3.8800%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2299%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7701%<\/span><\/span>\n<span id=\"cb21-10\"><a href=\"#cb21-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   4 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.2299%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.7701%<\/span><\/span>\n<span id=\"cb21-11\"><a href=\"#cb21-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   5 <span class=\"kw\">|<\/span>     <span class=\"ex\">41<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.4100%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.6399%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.3601%<\/span><\/span>\n<span id=\"cb21-12\"><a href=\"#cb21-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   6 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.6399%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.3601%<\/span><\/span>\n<span id=\"cb21-13\"><a href=\"#cb21-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   7 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.6399%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.3601%<\/span><\/span>\n<span id=\"cb21-14\"><a href=\"#cb21-14\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   8 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.6399%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.3601%<\/span><\/span>\n<span id=\"cb21-15\"><a href=\"#cb21-15\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   9 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.6399%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.3601%<\/span><\/span>\n<span id=\"cb21-16\"><a href=\"#cb21-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of  10 <span class=\"kw\">|<\/span>     <span class=\"ex\">36<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.3600%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9999%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0001%<\/span><\/span>\n<span id=\"cb21-17\"><a href=\"#cb21-17\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb21-18\"><a href=\"#cb21-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">Incoming<\/span> average:   0.1729    Median   0.0000    Standard deviation   0.8842<\/span><\/code><\/pre><\/div>\n<p>So again, a great deal of the false positives disappeared because of a bunch of exclusions for a score of 60. The original plan was to go from limit 50 to limit 20 first. But the stats are much better now. If we handle the 36 request standing in our way we can go to 10 immediately.<\/p>\n<div class=\"sourceCode\" id=\"cb22\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb22-1\"><a href=\"#cb22-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">egrep<\/span> <span class=\"st\">&quot; 10 [0-9-]+$&quot;<\/span> tutorial-8-example-access-round-3.log <span class=\"kw\">|<\/span> <span class=\"ex\">alreqid<\/span> <span class=\"op\">&gt;<\/span> ids<\/span>\n<span id=\"cb22-2\"><a href=\"#cb22-2\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error-round-3.log <span class=\"kw\">|<\/span> <span class=\"ex\">melidmsg<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb22-3\"><a href=\"#cb22-3\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">72<\/span> 932160 Remote Command Execution: Unix Shell Code Found<\/span><\/code><\/pre><\/div>\n<p>Wow, that\u2019s really simple. A single rule triggering twice for every request. But what does \u201cRemote Command Execution\u201d mean in this context?<\/p>\n<div class=\"sourceCode\" id=\"cb23\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb23-1\"><a href=\"#cb23-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error-round-3.log <span class=\"kw\">|<\/span> <span class=\"ex\">melmatch<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb23-2\"><a href=\"#cb23-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">ARGS<\/span>:account[pass][pass1]<\/span>\n<span id=\"cb23-3\"><a href=\"#cb23-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">ARGS<\/span>:account[pass][pass2]<\/span>\n<span id=\"cb23-4\"><a href=\"#cb23-4\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error-round-3.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 932160 <span class=\"kw\">|<\/span> <span class=\"ex\">meldata<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb23-5\"><a href=\"#cb23-5\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">72<\/span> Matched Data: \/bin\/bash found within ARGS:account[pass<\/span><\/code><\/pre><\/div>\n<p>This looks like there is a password <code>\/bin\/bash<\/code> here. That is probably not the smartest choice, but nothing that should really harm us, since passwords are rarely executed like a shell script. In fact a decent piece of software like Drupal will hash the payload before it is used to check the identity of a user. So we can easily suppress this rule for the password parameter. Or looking forward a bit, we can expect other funny passwords to trigger all sorts of rules on the password field. In fact, this is another situation where it makes sense to disable a whole class of rules. We have multiple options. We can disable by tag as we\u2019ve done before, or we can disable by rule ID range. Let\u2019s look over the various rules files for a moment:<\/p>\n<div class=\"sourceCode\" id=\"cb24\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb24-1\"><a href=\"#cb24-1\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-901-INITIALIZATION.conf<\/span><\/span>\n<span id=\"cb24-2\"><a href=\"#cb24-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf<\/span><\/span>\n<span id=\"cb24-3\"><a href=\"#cb24-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf<\/span><\/span>\n<span id=\"cb24-4\"><a href=\"#cb24-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf<\/span><\/span>\n<span id=\"cb24-5\"><a href=\"#cb24-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf<\/span><\/span>\n<span id=\"cb24-6\"><a href=\"#cb24-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf<\/span><\/span>\n<span id=\"cb24-7\"><a href=\"#cb24-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf<\/span><\/span>\n<span id=\"cb24-8\"><a href=\"#cb24-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-903.9007-PHPBB-EXCLUSION-RULES.conf<\/span><\/span>\n<span id=\"cb24-9\"><a href=\"#cb24-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-905-COMMON-EXCEPTIONS.conf<\/span><\/span>\n<span id=\"cb24-10\"><a href=\"#cb24-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-910-IP-REPUTATION.conf<\/span><\/span>\n<span id=\"cb24-11\"><a href=\"#cb24-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-911-METHOD-ENFORCEMENT.conf<\/span><\/span>\n<span id=\"cb24-12\"><a href=\"#cb24-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-912-DOS-PROTECTION.conf<\/span><\/span>\n<span id=\"cb24-13\"><a href=\"#cb24-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-913-SCANNER-DETECTION.conf<\/span><\/span>\n<span id=\"cb24-14\"><a href=\"#cb24-14\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-920-PROTOCOL-ENFORCEMENT.conf<\/span><\/span>\n<span id=\"cb24-15\"><a href=\"#cb24-15\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-921-PROTOCOL-ATTACK.conf<\/span><\/span>\n<span id=\"cb24-16\"><a href=\"#cb24-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-930-APPLICATION-ATTACK-LFI.conf<\/span><\/span>\n<span id=\"cb24-17\"><a href=\"#cb24-17\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-931-APPLICATION-ATTACK-RFI.conf<\/span><\/span>\n<span id=\"cb24-18\"><a href=\"#cb24-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-932-APPLICATION-ATTACK-RCE.conf<\/span><\/span>\n<span id=\"cb24-19\"><a href=\"#cb24-19\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-933-APPLICATION-ATTACK-PHP.conf<\/span><\/span>\n<span id=\"cb24-20\"><a href=\"#cb24-20\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-941-APPLICATION-ATTACK-XSS.conf<\/span><\/span>\n<span id=\"cb24-21\"><a href=\"#cb24-21\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-942-APPLICATION-ATTACK-SQLI.conf<\/span><\/span>\n<span id=\"cb24-22\"><a href=\"#cb24-22\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf<\/span><\/span>\n<span id=\"cb24-23\"><a href=\"#cb24-23\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-944-APPLICATION-ATTACK-JAVA.conf<\/span><\/span>\n<span id=\"cb24-24\"><a href=\"#cb24-24\" aria-hidden=\"true\"><\/a><span class=\"ex\">REQUEST-949-BLOCKING-EVALUATION.conf<\/span><\/span>\n<span id=\"cb24-25\"><a href=\"#cb24-25\" aria-hidden=\"true\"><\/a><span class=\"ex\">RESPONSE-950-DATA-LEAKAGES.conf<\/span><\/span>\n<span id=\"cb24-26\"><a href=\"#cb24-26\" aria-hidden=\"true\"><\/a><span class=\"ex\">RESPONSE-951-DATA-LEAKAGES-SQL.conf<\/span><\/span>\n<span id=\"cb24-27\"><a href=\"#cb24-27\" aria-hidden=\"true\"><\/a><span class=\"ex\">RESPONSE-952-DATA-LEAKAGES-JAVA.conf<\/span><\/span>\n<span id=\"cb24-28\"><a href=\"#cb24-28\" aria-hidden=\"true\"><\/a><span class=\"ex\">RESPONSE-953-DATA-LEAKAGES-PHP.conf<\/span><\/span>\n<span id=\"cb24-29\"><a href=\"#cb24-29\" aria-hidden=\"true\"><\/a><span class=\"ex\">RESPONSE-954-DATA-LEAKAGES-IIS.conf<\/span><\/span>\n<span id=\"cb24-30\"><a href=\"#cb24-30\" aria-hidden=\"true\"><\/a><span class=\"ex\">RESPONSE-959-BLOCKING-EVALUATION.conf<\/span><\/span>\n<span id=\"cb24-31\"><a href=\"#cb24-31\" aria-hidden=\"true\"><\/a><span class=\"ex\">RESPONSE-980-CORRELATION.conf<\/span><\/span><\/code><\/pre><\/div>\n<p>We do not want to ignore the protocol attacks, but all the application stuff should be off limits. So let\u2019s kick the rules from <code>REQUEST-930-APPLICATION-ATTACK-LFI.conf<\/code> to <code>REQUEST-944-APPLICATION-ATTACK-JAVA.confa for the parameters in question<\/code>. This is effectively the rule range from 930,000 to 944,999. The script can\u2019t do rule ranges, but we can easily complement this ourselves:<\/p>\n<div class=\"sourceCode\" id=\"cb25\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb25-1\"><a href=\"#cb25-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 930000 - 944999 : All application rules for password parameters<\/span><\/span>\n<span id=\"cb25-2\"><a href=\"#cb25-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 930000-944999 <span class=\"st\">&quot;!ARGS:account[pass][pass1]&quot;<\/span><\/span>\n<span id=\"cb25-3\"><a href=\"#cb25-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 930000-944999 <span class=\"st\">&quot;!ARGS:account[pass][pass2]&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>Time to reduce the limit once more (down to 10!) and see what happens.<\/p>\n<h3 id=\"step-7-the-fourth-batch-of-rule-exclusions\">Step 7: The fourth batch of rule exclusions<\/h3>\n<p>Here is the pair of logs I got after running the traffic generator once more:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.netnea.com\/files\/tutorial-8-example-access-round-4.log\">tutorial-8-example-access-round-4.log<\/a><\/li>\n<li><a href=\"https:\/\/www.netnea.com\/files\/tutorial-8-example-error-round-4.log\">tutorial-8-example-error-round-4.log<\/a><\/li>\n<\/ul>\n<p>These are the statistics:<\/p>\n<div class=\"sourceCode\" id=\"cb26\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb26-1\"><a href=\"#cb26-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-access-round-4.log <span class=\"kw\">|<\/span> <span class=\"ex\">alscores<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">modsec-positive-stats.rb<\/span> --incoming<\/span>\n<span id=\"cb26-2\"><a href=\"#cb26-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span>                     Num of req. <span class=\"kw\">|<\/span> <span class=\"ex\">%<\/span> of req. <span class=\"kw\">|<\/span>  <span class=\"ex\">Sum<\/span> of % <span class=\"kw\">|<\/span> <span class=\"ex\">Missing<\/span> %<\/span>\n<span id=\"cb26-3\"><a href=\"#cb26-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">Number<\/span> of incoming req. (total) <span class=\"kw\">|<\/span>  <span class=\"ex\">10000<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span><\/span>\n<span id=\"cb26-4\"><a href=\"#cb26-4\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb26-5\"><a href=\"#cb26-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">Empty<\/span> or miss. incoming score   <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">100.0000%<\/span><\/span>\n<span id=\"cb26-6\"><a href=\"#cb26-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   0 <span class=\"kw\">|<\/span>   <span class=\"ex\">9571<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">95.7099%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">95.7099%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">4.2901%<\/span><\/span>\n<span id=\"cb26-7\"><a href=\"#cb26-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   1 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">95.7099%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">4.2901%<\/span><\/span>\n<span id=\"cb26-8\"><a href=\"#cb26-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   2 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">95.7099%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">4.2901%<\/span><\/span>\n<span id=\"cb26-9\"><a href=\"#cb26-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   3 <span class=\"kw\">|<\/span>    <span class=\"ex\">388<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">3.8800%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.5899%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.4101%<\/span><\/span>\n<span id=\"cb26-10\"><a href=\"#cb26-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   4 <span class=\"kw\">|<\/span>      <span class=\"ex\">0<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0000%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.5899%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.4101%<\/span><\/span>\n<span id=\"cb26-11\"><a href=\"#cb26-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">Reqs<\/span> with incoming score of   5 <span class=\"kw\">|<\/span>     <span class=\"ex\">41<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.4100%<\/span> <span class=\"kw\">|<\/span>  <span class=\"ex\">99.9999%<\/span> <span class=\"kw\">|<\/span>   <span class=\"ex\">0.0001%<\/span><\/span>\n<span id=\"cb26-12\"><a href=\"#cb26-12\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb26-13\"><a href=\"#cb26-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">Incoming<\/span> average:   0.1369    Median   0.0000    Standard deviation   0.6580<\/span><\/code><\/pre><\/div>\n<p>It seems that we are almost done. What rules are behind these remaining alerts at anomaly score 3 and 5?<\/p>\n<div class=\"sourceCode\" id=\"cb27\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb27-1\"><a href=\"#cb27-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-error-round-4.log  <span class=\"kw\">|<\/span> <span class=\"ex\">melidmsg<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb27-2\"><a href=\"#cb27-2\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">41<\/span> 932160 Remote Command Execution: Unix Shell Code Found<\/span>\n<span id=\"cb27-3\"><a href=\"#cb27-3\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">388<\/span> 942431 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (6)<\/span><\/span><\/code><\/pre><\/div>\n<p>Look, the Remote Command Execution is back. What\u2019s the matter exactly?<\/p>\n<div class=\"sourceCode\" id=\"cb28\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb28-1\"><a href=\"#cb28-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> ~\/data\/git\/laboratory\/tutorial-8\/tutorial-8-example-error-round-4.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 932160 <span class=\"kw\">|<\/span> <span class=\"ex\">meluri<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb28-2\"><a href=\"#cb28-2\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">41<\/span> \/drupal\/index.php\/user\/login<\/span>\n<span id=\"cb28-3\"><a href=\"#cb28-3\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> ~\/data\/git\/laboratory\/tutorial-8\/tutorial-8-example-error-round-4.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 932160 <span class=\"kw\">|<\/span> <span class=\"ex\">melmatch<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb28-4\"><a href=\"#cb28-4\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">41<\/span> ARGS:pass<\/span><\/code><\/pre><\/div>\n<p>Ah yes, that makes sense. The previous alerts were the instances where the password had been set, and here, the password is used for the login. We\u2019ll simply add this to the previous password rule exclusion:<\/p>\n<div class=\"sourceCode\" id=\"cb29\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb29-1\"><a href=\"#cb29-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 930000 - 944999 : All application rules for password parameters<\/span><\/span>\n<span id=\"cb29-2\"><a href=\"#cb29-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 930000-944999 <span class=\"st\">&quot;!ARGS:account[pass][pass1]&quot;<\/span><\/span>\n<span id=\"cb29-3\"><a href=\"#cb29-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 930000-944999 <span class=\"st\">&quot;!ARGS:account[pass][pass2]&quot;<\/span><\/span>\n<span id=\"cb29-4\"><a href=\"#cb29-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 930000-944999 <span class=\"st\">&quot;!ARGS:pass&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>And then we\u2019re facing 942431 Restricted SQL Character Anomaly Detection again. We have done a rule exclusion for this rule on parameter <code>ids[]<\/code> on path <code>\/drupal\/index.php\/contextual\/render<\/code>. We could kick the rule completely, but given this is the remaining alert, we can also approach this with a bit more patience:<\/p>\n<div class=\"sourceCode\" id=\"cb30\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb30-1\"><a href=\"#cb30-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-error-round-4.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 942431 <span class=\"kw\">|<\/span> <span class=\"ex\">meluri<\/span>  <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb30-2\"><a href=\"#cb30-2\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">388<\/span> \/drupal\/index.php\/quickedit\/attachments<\/span>\n<span id=\"cb30-3\"><a href=\"#cb30-3\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-error-round-4.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 942431 <span class=\"kw\">|<\/span> <span class=\"ex\">melmatch<\/span>  <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><\/span>\n<span id=\"cb30-4\"><a href=\"#cb30-4\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">388<\/span> ARGS:ajax_page_state[libraries]<\/span><\/code><\/pre><\/div>\n<p>So it\u2019s a single parameter again. Let\u2019s call the helper script one last time and tell it to use 10002 as the new rule ID.<\/p>\n<div class=\"sourceCode\" id=\"cb31\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb31-1\"><a href=\"#cb31-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-error-round-4.log <span class=\"kw\">|<\/span> <span class=\"fu\">grep<\/span> 942431 <span class=\"kw\">|<\/span> <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb31-2\"><a href=\"#cb31-2\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">modsec-rulereport.rb<\/span> --runtime --target --byid --baseruleid 10002<\/span>\n<span id=\"cb31-3\"><a href=\"#cb31-3\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942431 : Restricted SQL Character Anomaly Detection (args): # of special \u2026<\/span><\/span>\n<span id=\"cb31-4\"><a href=\"#cb31-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/quickedit\/attachments&quot;<\/span> <\/span>\n<span id=\"cb31-5\"><a href=\"#cb31-5\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10002,ctl:ruleRemoveTargetById=942431;ARGS:ajax_page_state[libraries]&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>And with this, we are done. We have successfully fought all the false positives of a content management system with peculiar parameter formats and a ModSecurity rule set pushed to insanely paranoid levels.<\/p>\n<p>I suggest you run the traffic generator again and check the output. I did and I ended up with zero alerts. This confirms that our tuning was effective and we were able to bring down the number of alerts to zero with just four relatively simple iterations.<\/p>\n<h3 id=\"step-8-summarizing-all-rule-exclusions\">Step 8: Summarizing all rule exclusions<\/h3>\n<p>Time to look back and rearrange the configuration file with all the rule exclusions. I have regrouped them a bit, swapped the rule IDs 10001 and 10002, and I added some comments. It\u2019s quite a few of rule exclusions. But then it\u2019s also for a site blogging about SQL running at paranoia level 4; not too bad I think.<\/p>\n<div class=\"sourceCode\" id=\"cb32\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb32-1\"><a href=\"#cb32-1\" aria-hidden=\"true\"><\/a><span class=\"co\"># === ModSec Core Rule Set: Runtime Exclusion Rules (ids: 10000-49999)<\/span><\/span>\n<span id=\"cb32-2\"><a href=\"#cb32-2\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-3\"><a href=\"#cb32-3\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942431 : Restricted SQL Character Anomaly Detection (args): \u2026<\/span><\/span>\n<span id=\"cb32-4\"><a href=\"#cb32-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/contextual\/render&quot;<\/span> <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb32-5\"><a href=\"#cb32-5\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10000,ctl:ruleRemoveTargetById=942431;ARGS:ids[]&quot;<\/span><\/span>\n<span id=\"cb32-6\"><a href=\"#cb32-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/quickedit\/attachments&quot;<\/span> <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb32-7\"><a href=\"#cb32-7\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10001,ctl:ruleRemoveTargetById=942431;ARGS:ajax_page_state[libraries]&quot;<\/span><\/span>\n<span id=\"cb32-8\"><a href=\"#cb32-8\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-9\"><a href=\"#cb32-9\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: All SQLi rules for parameter keys on search form via tag attack-sqli<\/span><\/span>\n<span id=\"cb32-10\"><a href=\"#cb32-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRule<\/span> REQUEST_URI <span class=\"st\">&quot;@beginsWith \/drupal\/index.php\/search\/node&quot;<\/span> <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb32-11\"><a href=\"#cb32-11\" aria-hidden=\"true\"><\/a>    <span class=\"st\">&quot;phase:1,nolog,pass,id:10002,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:keys&quot;<\/span><\/span>\n<span id=\"cb32-12\"><a href=\"#cb32-12\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-13\"><a href=\"#cb32-13\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-14\"><a href=\"#cb32-14\" aria-hidden=\"true\"><\/a><span class=\"co\"># === ModSecurity Core Rule Set Inclusion<\/span><\/span>\n<span id=\"cb32-15\"><a href=\"#cb32-15\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-16\"><a href=\"#cb32-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">Include<\/span>    \/apache\/conf\/crs\/rules\/*.conf<\/span>\n<span id=\"cb32-17\"><a href=\"#cb32-17\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-18\"><a href=\"#cb32-18\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-19\"><a href=\"#cb32-19\" aria-hidden=\"true\"><\/a><span class=\"co\"># === ModSec Core Rule Set: Startup Time Rules Exclusions<\/span><\/span>\n<span id=\"cb32-20\"><a href=\"#cb32-20\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-21\"><a href=\"#cb32-21\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 920273 : Invalid character in request (outside of very strict set)<\/span><\/span>\n<span id=\"cb32-22\"><a href=\"#cb32-22\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleRemoveById<\/span> 920273<\/span>\n<span id=\"cb32-23\"><a href=\"#cb32-23\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-24\"><a href=\"#cb32-24\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942432 : Restricted SQL Character Anomaly Detection (args): <\/span><\/span>\n<span id=\"cb32-25\"><a href=\"#cb32-25\" aria-hidden=\"true\"><\/a><span class=\"co\"># number of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb32-26\"><a href=\"#cb32-26\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleRemoveById<\/span> 942432<\/span>\n<span id=\"cb32-27\"><a href=\"#cb32-27\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-28\"><a href=\"#cb32-28\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 942450 : SQL Hex Encoding Identified (severity: 5 CRITICAL)<\/span><\/span>\n<span id=\"cb32-29\"><a href=\"#cb32-29\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 942450 <span class=\"st\">&quot;!REQUEST_COOKIES&quot;<\/span><\/span>\n<span id=\"cb32-30\"><a href=\"#cb32-30\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 942450 <span class=\"st\">&quot;!REQUEST_COOKIES_NAMES&quot;<\/span><\/span>\n<span id=\"cb32-31\"><a href=\"#cb32-31\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-32\"><a href=\"#cb32-32\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-33\"><a href=\"#cb32-33\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution<\/span><\/span>\n<span id=\"cb32-34\"><a href=\"#cb32-34\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleRemoveById<\/span> 921180<\/span>\n<span id=\"cb32-35\"><a href=\"#cb32-35\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-36\"><a href=\"#cb32-36\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb32-37\"><a href=\"#cb32-37\" aria-hidden=\"true\"><\/a><span class=\"co\"># ModSec Rule Exclusion: 930000 - 944999 : All application rules for password parameters<\/span><\/span>\n<span id=\"cb32-38\"><a href=\"#cb32-38\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 930000-944999 <span class=\"st\">&quot;!ARGS:account[pass][pass1]&quot;<\/span><\/span>\n<span id=\"cb32-39\"><a href=\"#cb32-39\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 930000-944999 <span class=\"st\">&quot;!ARGS:account[pass][pass2]&quot;<\/span><\/span>\n<span id=\"cb32-40\"><a href=\"#cb32-40\" aria-hidden=\"true\"><\/a><span class=\"ex\">SecRuleUpdateTargetById<\/span> 930000-944999 <span class=\"st\">&quot;!ARGS:pass&quot;<\/span><\/span><\/code><\/pre><\/div>\n<h3 id=\"step-9-goodie-getting-a-quicker-overview\">Step 9 (Goodie): Getting a quicker overview<\/h3>\n<p>If you do this the first time, it all looks a bit overwhelming. But then it\u2019s only been an hour of work or so, which seems reasonable &#8211; even more so if you stretch it out over multiple iterations. One thing to help you get up to speed is getting an overview of all the alerts standing behind the scores. It\u2019s a good idea to have a look at the distribution of the scores as described above. A good next step is to get a report of how exactly the <em>anomaly scores<\/em> occurred, such as an overview of the rule violations for each anomaly score. The following construct generates a report like this. On the first line, we extract a list of anomaly scores from the incoming requests which actually appear in the log file. We then build a loop around these <em>scores<\/em>, read the <em>request ID<\/em> for each <em>score<\/em>, save it in the file <code>ids<\/code> and perform a short analysis for these <em>IDs<\/em> in the <em>error log<\/em>.<\/p>\n<div class=\"sourceCode\" id=\"cb33\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb33-1\"><a href=\"#cb33-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> tutorial-8-example-access.log <span class=\"kw\">|<\/span> <span class=\"ex\">alscorein<\/span> <span class=\"kw\">|<\/span> <span class=\"fu\">sort<\/span> -n <span class=\"kw\">|<\/span> <span class=\"fu\">uniq<\/span> <span class=\"kw\">|<\/span> <span class=\"fu\">egrep<\/span> -v -E <span class=\"st\">&quot;^0&quot;<\/span> <span class=\"op\">&gt;<\/span> scores<\/span>\n<span id=\"cb33-2\"><a href=\"#cb33-2\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">cat<\/span> scores <span class=\"kw\">|<\/span> <span class=\"kw\">while<\/span> <span class=\"bu\">read<\/span> <span class=\"va\">S<\/span>; <span class=\"kw\">do<\/span> <span class=\"bu\">echo<\/span> <span class=\"st\">&quot;INCOMING SCORE <\/span><span class=\"va\">$S<\/span><span class=\"st\">&quot;<\/span><span class=\"kw\">;\\<\/span><\/span>\n<span id=\"cb33-3\"><a href=\"#cb33-3\" aria-hidden=\"true\"><\/a><span class=\"fu\">grep<\/span> -E <span class=\"st\">&quot; <\/span><span class=\"va\">$S<\/span><span class=\"st\"> [0-9-]+$&quot;<\/span> tutorial-8-example-access.log <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb33-4\"><a href=\"#cb33-4\" aria-hidden=\"true\"><\/a><span class=\"kw\">|<\/span> <span class=\"ex\">alreqid<\/span> <span class=\"op\">&gt;<\/span> ids<span class=\"kw\">;<\/span> <span class=\"fu\">grep<\/span> -F -f ids tutorial-8-example-error.log <span class=\"kw\">|<\/span> <span class=\"ex\">melidmsg<\/span> <span class=\"kw\">|<\/span> <span class=\"ex\">sucs<\/span><span class=\"kw\">;<\/span> <span class=\"bu\">echo<\/span> <span class=\"kw\">;<\/span> <span class=\"kw\">done<\/span> <\/span>\n<span id=\"cb33-5\"><a href=\"#cb33-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 5<\/span>\n<span id=\"cb33-6\"><a href=\"#cb33-6\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">30<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:op)<\/span>\n<span id=\"cb33-7\"><a href=\"#cb33-7\" aria-hidden=\"true\"><\/a>   <span class=\"ex\">3532<\/span> 942450 SQL Hex Encoding Identified<\/span>\n<span id=\"cb33-8\"><a href=\"#cb33-8\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-9\"><a href=\"#cb33-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 8<\/span>\n<span id=\"cb33-10\"><a href=\"#cb33-10\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">1<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-11\"><a href=\"#cb33-11\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">1<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb33-12\"><a href=\"#cb33-12\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-13\"><a href=\"#cb33-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 10<\/span>\n<span id=\"cb33-14\"><a href=\"#cb33-14\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">4<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-15\"><a href=\"#cb33-15\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-16\"><a href=\"#cb33-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 20<\/span>\n<span id=\"cb33-17\"><a href=\"#cb33-17\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">41<\/span> 932160 Remote Command Execution: Unix Shell Code Found<\/span>\n<span id=\"cb33-18\"><a href=\"#cb33-18\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">123<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-19\"><a href=\"#cb33-19\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-20\"><a href=\"#cb33-20\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 24<\/span>\n<span id=\"cb33-21\"><a href=\"#cb33-21\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">50<\/span> 942431 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (6)<\/span><\/span>\n<span id=\"cb33-22\"><a href=\"#cb33-22\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">50<\/span> 942450 SQL Hex Encoding Identified<\/span>\n<span id=\"cb33-23\"><a href=\"#cb33-23\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">100<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-24\"><a href=\"#cb33-24\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">100<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb33-25\"><a href=\"#cb33-25\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-26\"><a href=\"#cb33-26\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 30<\/span>\n<span id=\"cb33-27\"><a href=\"#cb33-27\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-28\"><a href=\"#cb33-28\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942190 Detects MSSQL code execution and information gathering attempts<\/span>\n<span id=\"cb33-29\"><a href=\"#cb33-29\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942200 Detects MySQL comment-\/space-obfuscated injections and backtick termination<\/span>\n<span id=\"cb33-30\"><a href=\"#cb33-30\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942260 Detects basic SQL authentication bypass attempts 2\/3<\/span>\n<span id=\"cb33-31\"><a href=\"#cb33-31\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942270 Looking for basic sql injection. Common attack string for mysql, oracle and others<\/span>\n<span id=\"cb33-32\"><a href=\"#cb33-32\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942480 SQL Injection Attack<\/span>\n<span id=\"cb33-33\"><a href=\"#cb33-33\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 35<\/span>\n<span id=\"cb33-34\"><a href=\"#cb33-34\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-35\"><a href=\"#cb33-35\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942100 SQL Injection Attack Detected via libinjection<\/span>\n<span id=\"cb33-36\"><a href=\"#cb33-36\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942190 Detects MSSQL code execution and information gathering attempts<\/span>\n<span id=\"cb33-37\"><a href=\"#cb33-37\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942200 Detects MySQL comment-\/space-obfuscated injections and backtick termination<\/span>\n<span id=\"cb33-38\"><a href=\"#cb33-38\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942260 Detects basic SQL authentication bypass attempts 2\/3<\/span>\n<span id=\"cb33-39\"><a href=\"#cb33-39\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942270 Looking for basic sql injection. Common attack string for mysql, oracle and others<\/span>\n<span id=\"cb33-40\"><a href=\"#cb33-40\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942480 SQL Injection Attack<\/span>\n<span id=\"cb33-41\"><a href=\"#cb33-41\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-42\"><a href=\"#cb33-42\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 37<\/span>\n<span id=\"cb33-43\"><a href=\"#cb33-43\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">5<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:ids[])<\/span>\n<span id=\"cb33-44\"><a href=\"#cb33-44\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">5<\/span> 942450 SQL Hex Encoding Identified<\/span>\n<span id=\"cb33-45\"><a href=\"#cb33-45\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">15<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-46\"><a href=\"#cb33-46\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">20<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb33-47\"><a href=\"#cb33-47\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-48\"><a href=\"#cb33-48\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 74<\/span>\n<span id=\"cb33-49\"><a href=\"#cb33-49\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">388<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:editors[])<\/span>\n<span id=\"cb33-50\"><a href=\"#cb33-50\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">388<\/span> 942431 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (6)<\/span><\/span>\n<span id=\"cb33-51\"><a href=\"#cb33-51\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">388<\/span> 942450 SQL Hex Encoding Identified<\/span>\n<span id=\"cb33-52\"><a href=\"#cb33-52\" aria-hidden=\"true\"><\/a>   <span class=\"ex\">2716<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb33-53\"><a href=\"#cb33-53\" aria-hidden=\"true\"><\/a>   <span class=\"ex\">3104<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-54\"><a href=\"#cb33-54\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-55\"><a href=\"#cb33-55\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 78<\/span>\n<span id=\"cb33-56\"><a href=\"#cb33-56\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:keys)<\/span>\n<span id=\"cb33-57\"><a href=\"#cb33-57\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942100 SQL Injection Attack Detected via libinjection<\/span>\n<span id=\"cb33-58\"><a href=\"#cb33-58\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">76<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb33-59\"><a href=\"#cb33-59\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">152<\/span> 942190 Detects MSSQL code execution and information gathering attempts<\/span>\n<span id=\"cb33-60\"><a href=\"#cb33-60\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">152<\/span> 942200 Detects MySQL comment-\/space-obfuscated injections and backtick termination<\/span>\n<span id=\"cb33-61\"><a href=\"#cb33-61\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">152<\/span> 942260 Detects basic SQL authentication bypass attempts 2\/3<\/span>\n<span id=\"cb33-62\"><a href=\"#cb33-62\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">152<\/span> 942270 Looking for basic sql injection. Common attack string for mysql, oracle and others<\/span>\n<span id=\"cb33-63\"><a href=\"#cb33-63\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">152<\/span> 942480 SQL Injection Attack<\/span>\n<span id=\"cb33-64\"><a href=\"#cb33-64\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">228<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-65\"><a href=\"#cb33-65\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 79<\/span>\n<span id=\"cb33-66\"><a href=\"#cb33-66\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">8<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb33-67\"><a href=\"#cb33-67\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">11<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-68\"><a href=\"#cb33-68\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-69\"><a href=\"#cb33-69\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 93<\/span>\n<span id=\"cb33-70\"><a href=\"#cb33-70\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">72<\/span> 932160 Remote Command Execution: Unix Shell Code Found<\/span>\n<span id=\"cb33-71\"><a href=\"#cb33-71\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">665<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:fields[])<\/span>\n<span id=\"cb33-72\"><a href=\"#cb33-72\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">665<\/span> 942450 SQL Hex Encoding Identified<\/span>\n<span id=\"cb33-73\"><a href=\"#cb33-73\" aria-hidden=\"true\"><\/a>   <span class=\"ex\">4206<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb33-74\"><a href=\"#cb33-74\" aria-hidden=\"true\"><\/a>   <span class=\"ex\">9113<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-75\"><a href=\"#cb33-75\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-76\"><a href=\"#cb33-76\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 144<\/span>\n<span id=\"cb33-77\"><a href=\"#cb33-77\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">1<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:ids[])<\/span>\n<span id=\"cb33-78\"><a href=\"#cb33-78\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">5<\/span> 942431 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (6)<\/span><\/span>\n<span id=\"cb33-79\"><a href=\"#cb33-79\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">14<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-80\"><a href=\"#cb33-80\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">18<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span>\n<span id=\"cb33-81\"><a href=\"#cb33-81\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb33-82\"><a href=\"#cb33-82\" aria-hidden=\"true\"><\/a><span class=\"ex\">INCOMING<\/span> SCORE 171<\/span>\n<span id=\"cb33-83\"><a href=\"#cb33-83\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">6<\/span> 921180 HTTP Parameter Pollution (ARGS_NAMES:ids[])<\/span>\n<span id=\"cb33-84\"><a href=\"#cb33-84\" aria-hidden=\"true\"><\/a>      <span class=\"ex\">6<\/span> 942450 SQL Hex Encoding Identified<\/span>\n<span id=\"cb33-85\"><a href=\"#cb33-85\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">30<\/span> 942431 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (6)<\/span><\/span>\n<span id=\"cb33-86\"><a href=\"#cb33-86\" aria-hidden=\"true\"><\/a>     <span class=\"ex\">96<\/span> 920273 Invalid character in request (outside of very strict set)<\/span>\n<span id=\"cb33-87\"><a href=\"#cb33-87\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">132<\/span> 942432 Restricted SQL Character Anomaly Detection (args)<span class=\"bu\">:<\/span> <span class=\"co\"># of special characters exceeded (2)<\/span><\/span><\/code><\/pre><\/div>\n<p>Before we finish with this tutorial, let me iterate my tuning policy again:<\/p>\n<ul>\n<li>Always work in blocking mode<\/li>\n<li>Highest scoring requests go first<\/li>\n<li>Work in several iterations<\/li>\n<\/ul>\n<p>When you grow more proficient, you can reduce the number of iterations and tackle more false alarms in a single batch. Or you can concentrate on the rules that are triggered most often. That may work as well and in the end, when all rule exclusions are in place, you should end up with the same configuration. But in my experience, the policy with the three simple guiding rules is the one with the highest chance of success and the one with the lowest drop out rate.<\/p>\n<p>We have now reached the end of the block consisting of three <em>ModSecurity tutorials<\/em>. The next one will look into setting up a <em>reverse proxy<\/em>.<\/p>\n<h3 id=\"references\">References<\/h3>\n<ul>\n<li><a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\/wiki\/Reference-Manual\">ModSecurity Reference Manual<\/a><\/li>\n<\/ul>\n<h3 id=\"license-copying-further-use\">License \/ Copying \/ Further use<\/h3>\n<p><a rel=\"license\" href=\"http:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/\"><img decoding=\"async\" alt=\"Creative Commons License\" style=\"border-width:0\" src=\"https:\/\/i.creativecommons.org\/l\/by-nc-sa\/4.0\/80x15.png\" \/><\/a><br \/>This work is licensed under a <a rel=\"license\" href=\"http:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/\">Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License<\/a>.<\/p>\n<h5 id=\"changelog\">Changelog<\/h5>\n<ul>\n<li>2022-11-21: Explain alias alscores<\/li>\n<li>2021-07-09: Complete rewrite based on new modsec-rulereport.rb script<\/li>\n<li>2021-01-25: Update 943999 -&gt; 944999, added missing rule exclusion pkgs<\/li>\n<li>2020-02-05: Doctoring the format of the example access logs to work with the extended-2019 format<\/li>\n<li>2019-04-03: Raise initial anomaly threshold to 10,000<\/li>\n<li>2018-04-13: Update title format (markdown); rewordings (Simon Studer)<\/li>\n<li>2017-09-25: Update apr (1.6.2), apr-util (1.6.0), Apache (2.4.27) and ModSecurity (2.9.2)<\/li>\n<li>2017-03-05: Update text about rule 942100<\/li>\n<li>2017-02-25: Closing quotes in rules sum-up<\/li>\n<li>2017-02-16: Reformatting<\/li>\n<li>2017-02-15: Small fixes throughout the tutorial after input from Osama Elnaggar<\/li>\n<li>2016-12-28: Fixing links to example log files, fixing comments in apache config, Apache 2.4.23 -&gt; 2.4.25<\/li>\n<li>2016-12-11: Reworded two passages for easier understanding<\/li>\n<li>2016-12-08: Typos<\/li>\n<li>2016-11-14: Fixing links to previous tutorials<\/li>\n<li>2016-11-08: Publication<\/li>\n<li>2016-11-07: Review of new text, added untuned distribution graph<\/li>\n<li>2016-11-06: Rewrite for CRS 3.0<\/li>\n<li>2016-10-10: Fixing small issues<\/li>\n<li>2016-07-15: Apache 2.4.20 -&gt; 2.4.23<\/li>\n<li>2016-07-15: Apache 2.4.20 -&gt; 2.4.23<\/li>\n<li>2016-04-18: Fixing small issues<\/li>\n<li>2016-03-10: Translated to English<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Handling False Positives with the OWASP ModSecurity Core Rule Set This tutorial is currently undergoing the transition from CRS3 to CRS4, some things may fail to work as advertised. Christian Folini 2026-01-22 What are we doing? We will take a vanilla installation of the OWASP ModSecurity Core Rule Set (CRS) troubled by a large number [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-951","page","type-page","status-publish","czr-hentry"],"_links":{"self":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/pages\/951","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/comments?post=951"}],"version-history":[{"count":4,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/pages\/951\/revisions"}],"predecessor-version":[{"id":2143,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/pages\/951\/revisions\/2143"}],"wp:attachment":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/media?parent=951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}