Re: [mod-security-users] Paranoia level

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hey Blason,

On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote:
> I am really looking at everywhere but unable to find the exact information.
> I am struggling to find how do I increase Paranoia level gradually?
> I really dont see settings in configuration or might have overlooked? but
> can someone can help me understanding the procedure?

You have probably overlooked the explanation it in crs-setup.conf.

There are two values involved:

- tx.paranoia_level
  This is the PL that we are going to block in. We thought about renaming
  this to tx.blocking_paranoia_level, but then we thought it would have
  been too cumbersome on the users.
- tx.executing_paranoia_level
  This is the PL of the rules that we are going to execute. It is greater
  or equal to tx.paranoia_level.

So with these two settings, you can block on PL1, but execute PL2, tune away
the false positives of PL2 and then raise the blocking PL to 2 as well.
And then to the next step.

The advantage of this process is that without the executing PL setting, you
would dive into a higher PL without knowing the new false positives in
advance and you would probably have to raise the anomaly threshold for
a certain transition period, thus lowering your defenses. The introduction
of the execution paranoia level allows you to keep the defenses up.

Cheers,

Christian

-- 
Seek simplicity, and distrust it.
-- Alfred North Whitehead