The Paranoia Level (PL) setting in crs-setup.conf allows you to choose the desired level of rule checks. You can adjust the Paranoia Level on a per-website basis, by copying rule 900000 from the crs-setup.conf file into the respective <VirtualHost> section of your webserver configuration (giving it a new rule id).
With each paranoia level increase, the CRS enables additional rules, giving you a higher level of security. However, higher paranoia levels also increase the possibility of blocking some legitimate traffic due to false alarms (also named false positives or FPs). If you use higher paranoia levels, it is likely that you will need to add some exclusion rules for certain applications that need to receive complex input patterns.
- A paranoia level of 1 (PL1) is default. In this level, most core rules are enabled. PL1 is advised for beginners, installations covering many different sites and applications, and for setups with standard security requirements. At PL1 you should face FPs rarely, and therefore it is recommended for all sites and applications. If you encounter FPs, please open an issue on the CRS GitHub site. Don’t forget to attach your complete Audit Log record containing the request with the issue. Be sure to scrub any personal data and sensitive information!
- Paranoia level 2 (PL2) includes many extra rules, for instance enabling many regexp-based SQL and XSS injection protections, and adding extra keywords checked for code injections. PL2 includes some rules which were present by default in CRS 2.x, but excluded in the default level in CRS 3.x because of common false positive complaints. Nevertheless, these rules will add extra protection against advanced and obfuscated attacks which may evade the rules of PL1. PL2 is advised for moderate to experienced users who desire more complete coverage, and for all installations with elevated security requirements. PL2 may also be a good choice for existing CRS 2.x users, as the level of FPs will be comparable to a CRS 2.x installation. PL2 may cause some FPs which you need to handle.
- Paranoia level 3 (PL3) enables more rules and keyword lists that cover less common attacks. PL3 also tweaks limits on all special characters used, which provides high coverage against unknown attack types, obfuscated attacks and attempted WAF bypasses. PL3 is aimed at users who are experienced at the handling of FPs and at installations with high security requirements. PL3 may regularly cause FPs which you need to handle.
- Paranoia level 4 (PL4) further restricts special characters. PL4 is advised for experienced users protecting installations with very high security requirements. Running PL4 will likely produce a very high number of FPs which have to be treated before the site can go productive.