Thread: [mod-security-users] False positives
Brought to you by:
victorhora,
zimmerletw
From: samaneh b. <sam...@au...> - 2013-06-14 10:57:15
|
Hi Dear users, I am wondering if any one knows how can we detect false positives in modsecurity automatically?is there any method to detect these false alarms for example with a special algorithm? |
From: Reindl H. <h.r...@th...> - 2013-06-14 11:21:24
Attachments:
signature.asc
|
Am 14.06.2013 12:45, schrieb samaneh berenjian: > I am wondering if any one knows how can we detect false positives in modsecurity automatically?is there any method > to detect these false alarms for example with a special algorithm? if it would be possible to detect it automatically it would not happen at all because the algorithm would sit in modsec directly - don't you think? |
From: yersinia <yer...@gm...> - 2013-06-14 12:35:35
|
On Fri, Jun 14, 2013 at 12:45 PM, samaneh berenjian <sam...@au...> wrote: > Hi Dear users, > I am wondering if any one knows how can we detect false positives in > modsecurity automatically?is there any method to detect these false alarms > for example with a special algorithm? I don't think, in general, that this is a simple question to answer for any - not mod_security only - IPS o IDS product. http://www.mathsisfun.com/data/probability-false-negatives-positives.html http://en.wikipedia.org/wiki/Type_I_and_type_II_errors Here some hint http://www.symantec.com/connect/articles/strategies-reduce-false-positives-and-negatives-nids-part-two (speaking of NIDS but the concept are similar) Best > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Manoel D. J. <man...@gm...> - 2013-06-14 15:57:15
|
If you put mod_security for homologation and use a spider (such as the present in OWASP ZAP) can identify the rules which result in false positives. You can also use the results to build a positive approach. Best regards, 2013/6/14 yersinia <yer...@gm...> > On Fri, Jun 14, 2013 at 12:45 PM, samaneh berenjian > <sam...@au...> wrote: > > Hi Dear users, > > I am wondering if any one knows how can we detect false positives in > > modsecurity automatically?is there any method to detect these false > alarms > > for example with a special algorithm? > > I don't think, in general, that this is a simple question to answer > for any - not mod_security only - IPS o IDS product. > > http://www.mathsisfun.com/data/probability-false-negatives-positives.html > http://en.wikipedia.org/wiki/Type_I_and_type_II_errors > > Here some hint > http://www.symantec.com/connect/articles/strategies-reduce-false-positives-and-negatives-nids-part-two > (speaking of NIDS but the concept are similar) > > Best > > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by Windows: > > > > Build for Windows Store. > > > > http://p.sf.net/sfu/windows-dev2dev > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- -- Manoel Domingues Junior "Coletar dados é o primeiro passo para a sabedoria, mas compartilhar dados é o primeiro passo para a comunidade." IBM - Prodigy Linux |
From: Christian F. <chr...@ti...> - 2013-06-14 18:37:34
|
Hi there, On Fri, Jun 14, 2013 at 12:56:45PM -0300, Manoel Domingues Junior wrote: > If you put mod_security for homologation and use a spider (such as the > present in OWASP ZAP) can identify the rules which result in false > positives. Now that is an interesting thought. Could you explain that a bit further? Have you done this? Regs, Christian > > You can also use the results to build a positive approach. > > Best regards, > > > 2013/6/14 yersinia <yer...@gm...> > > > On Fri, Jun 14, 2013 at 12:45 PM, samaneh berenjian > > <sam...@au...> wrote: > > > Hi Dear users, > > > I am wondering if any one knows how can we detect false positives in > > > modsecurity automatically?is there any method to detect these false > > alarms > > > for example with a special algorithm? > > > > I don't think, in general, that this is a simple question to answer > > for any - not mod_security only - IPS o IDS product. > > > > http://www.mathsisfun.com/data/probability-false-negatives-positives.html > > http://en.wikipedia.org/wiki/Type_I_and_type_II_errors > > > > Here some hint > > http://www.symantec.com/connect/articles/strategies-reduce-false-positives-and-negatives-nids-part-two > > (speaking of NIDS but the concept are similar) > > > > Best > > > > > > > > ------------------------------------------------------------------------------ > > > This SF.net email is sponsored by Windows: > > > > > > Build for Windows Store. > > > > > > http://p.sf.net/sfu/windows-dev2dev > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by Windows: > > > > Build for Windows Store. > > > > http://p.sf.net/sfu/windows-dev2dev > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > -- > Manoel Domingues Junior > "Coletar dados é o primeiro passo para a sabedoria, mas compartilhar dados > é o primeiro passo para a comunidade." > IBM - Prodigy Linux > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Manoel D. J. <man...@gm...> - 2013-06-14 18:48:54
|
Hi, I'm a big fan of positive approach mod_security, but it is very tiring to study the entire web application and create the rules of mod_security. To solve both problems, I use the OWASP ZAP to perform a scan on the web application and analyze the logs(error_log) and see which rules are the largest generators of false-positive and I disable(or modify) them. Another possibility (and the one I like best) is to use the "Parameters" tab on OWASP ZAP and track which values each parameter has. After that just make a regexp. Recently I am testing the remo (http://www.netnea.com/cms/?q=remo) to make the rules more intuitively. Regards, 2013/6/14 Christian Folini <chr...@ti...> > Hi there, > > On Fri, Jun 14, 2013 at 12:56:45PM -0300, Manoel Domingues Junior wrote: > > If you put mod_security for homologation and use a spider (such as the > > present in OWASP ZAP) can identify the rules which result in false > > positives. > > Now that is an interesting thought. Could you explain that a > bit further? Have you done this? > > Regs, > > Christian > > > > > You can also use the results to build a positive approach. > > > > Best regards, > > > > > > 2013/6/14 yersinia <yer...@gm...> > > > > > On Fri, Jun 14, 2013 at 12:45 PM, samaneh berenjian > > > <sam...@au...> wrote: > > > > Hi Dear users, > > > > I am wondering if any one knows how can we detect false positives in > > > > modsecurity automatically?is there any method to detect these false > > > alarms > > > > for example with a special algorithm? > > > > > > I don't think, in general, that this is a simple question to answer > > > for any - not mod_security only - IPS o IDS product. > > > > > > > http://www.mathsisfun.com/data/probability-false-negatives-positives.html > > > http://en.wikipedia.org/wiki/Type_I_and_type_II_errors > > > > > > Here some hint > > > > http://www.symantec.com/connect/articles/strategies-reduce-false-positives-and-negatives-nids-part-two > > > (speaking of NIDS but the concept are similar) > > > > > > Best > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > This SF.net email is sponsored by Windows: > > > > > > > > Build for Windows Store. > > > > > > > > http://p.sf.net/sfu/windows-dev2dev > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > This SF.net email is sponsored by Windows: > > > > > > Build for Windows Store. > > > > > > http://p.sf.net/sfu/windows-dev2dev > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > -- > > -- > > Manoel Domingues Junior > > "Coletar dados é o primeiro passo para a sabedoria, mas compartilhar > dados > > é o primeiro passo para a comunidade." > > IBM - Prodigy Linux > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by Windows: > > > > Build for Windows Store. > > > > http://p.sf.net/sfu/windows-dev2dev > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > -- -- Manoel Domingues Junior "Coletar dados é o primeiro passo para a sabedoria, mas compartilhar dados é o primeiro passo para a comunidade." IBM - Prodigy Linux |
From: Ryan B. <RBa...@tr...> - 2013-06-14 18:59:53
|
Are you aware if these Lua scripts which does basic profiling/learning? http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Jun 14, 2013, at 2:54 PM, "Manoel Domingues Junior" <man...@gm...<mailto:man...@gm...>> wrote: Hi, I'm a big fan of positive approach mod_security, but it is very tiring to study the entire web application and create the rules of mod_security. To solve both problems, I use the OWASP ZAP to perform a scan on the web application and analyze the logs(error_log) and see which rules are the largest generators of false-positive and I disable(or modify) them. Another possibility (and the one I like best) is to use the "Parameters" tab on OWASP ZAP and track which values each parameter has. After that just make a regexp. Recently I am testing the remo (http://www.netnea.com/cms/?q=remo) to make the rules more intuitively. Regards, 2013/6/14 Christian Folini <chr...@ti...<mailto:chr...@ti...>> Hi there, On Fri, Jun 14, 2013 at 12:56:45PM -0300, Manoel Domingues Junior wrote: > If you put mod_security for homologation and use a spider (such as the > present in OWASP ZAP) can identify the rules which result in false > positives. Now that is an interesting thought. Could you explain that a bit further? Have you done this? Regs, Christian > > You can also use the results to build a positive approach. > > Best regards, > > > 2013/6/14 yersinia <yer...@gm...<mailto:yer...@gm...>> > > > On Fri, Jun 14, 2013 at 12:45 PM, samaneh berenjian > > <sam...@au...<mailto:sam...@au...>> wrote: > > > Hi Dear users, > > > I am wondering if any one knows how can we detect false positives in > > > modsecurity automatically?is there any method to detect these false > > alarms > > > for example with a special algorithm? > > > > I don't think, in general, that this is a simple question to answer > > for any - not mod_security only - IPS o IDS product. > > > > http://www.mathsisfun.com/data/probability-false-negatives-positives.html > > http://en.wikipedia.org/wiki/Type_I_and_type_II_errors > > > > Here some hint > > http://www.symantec.com/connect/articles/strategies-reduce-false-positives-and-negatives-nids-part-two > > (speaking of NIDS but the concept are similar) > > > > Best > > > > > > > > ------------------------------------------------------------------------------ > > > This SF.net<http://SF.net> email is sponsored by Windows: > > > > > > Build for Windows Store. > > > > > > http://p.sf.net/sfu/windows-dev2dev > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li...<mailto:mod...@li...> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > ------------------------------------------------------------------------------ > > This SF.net<http://SF.net> email is sponsored by Windows: > > > > Build for Windows Store. > > > > http://p.sf.net/sfu/windows-dev2dev > > _______________________________________________ > > mod-security-users mailing list > > mod...@li...<mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > -- > Manoel Domingues Junior > "Coletar dados é o primeiro passo para a sabedoria, mas compartilhar dados > é o primeiro passo para a comunidade." > IBM - Prodigy Linux > ------------------------------------------------------------------------------ > This SF.net<http://SF.net> email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- -- Manoel Domingues Junior "Coletar dados é o primeiro passo para a sabedoria, mas compartilhar dados é o primeiro passo para a comunidade." IBM - Prodigy Linux ------------------------------------------------------------------------------ This SF.net<http://SF.net> email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Christian F. <chr...@ti...> - 2013-06-14 19:13:01
|
Hi, On Fri, Jun 14, 2013 at 03:48:24PM -0300, Manoel Domingues Junior wrote: > To solve both problems, I use the OWASP ZAP to perform a scan on the web > application and analyze the logs(error_log) and see which rules are the > largest generators of false-positive and I disable(or modify) them. > > Another possibility (and the one I like best) is to use the "Parameters" > tab on OWASP ZAP and track which values each parameter has. After that just > make a regexp. I need to look into this as well. Sounds intriguing. > Recently I am testing the remo (http://www.netnea.com/cms/?q=remo) to make > the rules more intuitively. Nice to see it is still in use. Tell me how it went. Regs, chr...@ne... -- Knowing that two plus two always equals four can be a pretty powerful concept. -- Joel Greenblatt |