Re: [mod-security-users] Paranoia level
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Paranoia level
|
From: Blason R <bla...@gm...> - 2021-03-10 09:41:27
|
Thanks for heads up - but I am still confused and would take this up with offline. Though this is not the correct forum I might not spam this list. On Wed, Mar 10, 2021 at 12:46 PM Christian Folini < chr...@ne...> wrote: > Hey Blason, > > On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote: > > I am really looking at everywhere but unable to find the exact > information. > > I am struggling to find how do I increase Paranoia level gradually? > > I really dont see settings in configuration or might have overlooked? but > > can someone can help me understanding the procedure? > > You have probably overlooked the explanation it in crs-setup.conf. > > There are two values involved: > > - tx.paranoia_level > This is the PL that we are going to block in. We thought about renaming > this to tx.blocking_paranoia_level, but then we thought it would have > been too cumbersome on the users. > - tx.executing_paranoia_level > This is the PL of the rules that we are going to execute. It is greater > or equal to tx.paranoia_level. > > So with these two settings, you can block on PL1, but execute PL2, tune > away > the false positives of PL2 and then raise the blocking PL to 2 as well. > And then to the next step. > > The advantage of this process is that without the executing PL setting, you > would dive into a higher PL without knowing the new false positives in > advance and you would probably have to raise the anomaly threshold for > a certain transition period, thus lowering your defenses. The introduction > of the execution paranoia level allows you to keep the defenses up. > > Cheers, > > Christian > > > -- > Seek simplicity, and distrust it. > -- Alfred North Whitehead > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
