[mod-security-users] DetectionOnly for All Rules except for one
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] DetectionOnly for All Rules except for one
|
From: Todd M. B. <to...@to...> - 2012-01-17 18:36:57
|
I'm running modsecurity in DetectionOnly mode at the moment as I go through the lengthy process of tuning all false positives. Recently, a security alert came out that we need to block immediately, but I'm simply not ready to run ModSecurity in blocking mode as there is still a bit of tuning to do. What I'd like to do is add the custom rule that will handle this specific alert, set that rule to block, but leave everything else in DetectionOnly (log, but no block) mode to allow me more time to address all the false positives. What is the easiest way to accomplish this without changing the action for every rule in the core rule set? Based on my reading of the manual, my thought is to leave everything in block to allow for my default action, but then set my new/custom rule to deny. I'm running DetectionOnly w/ Anomaly Based Scoring (default action Pass to support this) so I'm a little hung up on how this all impacts what I'm trying to do. Appreciate any advice. todd |
