Re: [mod-security-users] Rule actions in CRS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Rule actions in CRS
|
From: Christian F. <chr...@ne...> - 2018-04-09 08:37:26
|
Hello Eirik, There is a separate mailinglist for CRS. But here is a brief response. It does indeed sounds as if you did not understand the concept so far. crs-setup is indeed very brief with its explanations. The tutorials at netnea.com are much more elaborate and there is also an article at lwn.net that introduces it. Basically: The rule fires when a pattern matches, the match is recorded in the audit log and the score is raised. If the anomaly score reaches the threshold, the request is blocked - unless you run in detectiononly mode. Personally, I always run in blocking mode, but I start with a very high threshold and then lower it gradually as I clean up the false positives. See my tutorials for detailed guidance. Best, Christian On Mon, Apr 09, 2018 at 10:25:36AM +0200, Eirik Øverby - ModSecurity wrote: > Hi, > > I understand that the recommended way of using the CRS is the "Anomaly scoring" mode. Taking that into account, and considering this is a quite new installation and we're seeing a lot of FPs (this is in the nature of our applications and those that interact with it), we've followed the recommendations in crs-setup.conf.sample and adjusted paranoia level and thresholds accordingly. > > However, it seems that a large number of the CRS rules are firing independently, regardless of the accumulated anomaly scores. Is this because we're running in DetectionOnly mode? Or is it because many of the rules explicitly say 'block'? In some cases, we see the audit log containing multiple messages for a transaction, showing that the anomaly thresholds are consulted. In others - in fact most - we see only a single message from a single rule that has fired. > > Apologies if I have misunderstood how this works - I'm just hoping we can make effective use of this without first learning all the intricacies of the CRS ruleset. > > Wbr > /Eirik > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
