Thread: [mod-security-users] Paranoia level
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Blason R <bla...@gm...> - 2021-03-10 05:51:43
|
Hi Team, I am really looking at everywhere but unable to find the exact information. I am struggling to find how do I increase Paranoia level gradually? I really dont see settings in configuration or might have overlooked? but can someone can help me understanding the procedure? TIA Blason R |
|
From: Ervin H. <ai...@gm...> - 2021-03-10 06:59:34
|
Hi, plase note, this is a CRS question, not ModSecurity. There is a dedicated mailing list for the rule set: https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote: > Hi Team, > > I am really looking at everywhere but unable to find the exact information. > I am struggling to find how do I increase Paranoia level gradually? > I really dont see settings in configuration or might have overlooked? but > can someone can help me understanding the procedure? take a look to your crs-setup.conf: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/crs-setup.conf.example#L176-L182 The default PL is 1: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-901-INITIALIZATION.conf#L100-L107 this means if user doesn't give any explicit value in the setup, then this rule sets up it to 1. Just uncomment the lines in your setup, and set the necessary value in rule 900000. Before that action, you can find a small summary about paranoia levels. hth, a. |
|
From: Blason R <bla...@gm...> - 2021-03-10 09:40:23
|
My bad and apologies for wrong posting. On Wed, Mar 10, 2021 at 12:32 PM Ervin Hegedüs <ai...@gm...> wrote: > Hi, > > > plase note, this is a CRS question, not ModSecurity. > > There is a dedicated mailing list for the rule set: > > https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project > > On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote: > > Hi Team, > > > > I am really looking at everywhere but unable to find the exact > information. > > I am struggling to find how do I increase Paranoia level gradually? > > I really dont see settings in configuration or might have overlooked? but > > can someone can help me understanding the procedure? > > take a look to your crs-setup.conf: > > https://github.com/coreruleset/coreruleset/blob/v3.4/dev/crs-setup.conf.example#L176-L182 > > The default PL is 1: > > > https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-901-INITIALIZATION.conf#L100-L107 > > this means if user doesn't give any explicit value in the setup, > then this rule sets up it to 1. > > Just uncomment the lines in your setup, and set the necessary > value in rule 900000. Before that action, you can find a small > summary about paranoia levels. > > > hth, > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2021-03-10 07:14:15
|
Hey Blason, On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote: > I am really looking at everywhere but unable to find the exact information. > I am struggling to find how do I increase Paranoia level gradually? > I really dont see settings in configuration or might have overlooked? but > can someone can help me understanding the procedure? You have probably overlooked the explanation it in crs-setup.conf. There are two values involved: - tx.paranoia_level This is the PL that we are going to block in. We thought about renaming this to tx.blocking_paranoia_level, but then we thought it would have been too cumbersome on the users. - tx.executing_paranoia_level This is the PL of the rules that we are going to execute. It is greater or equal to tx.paranoia_level. So with these two settings, you can block on PL1, but execute PL2, tune away the false positives of PL2 and then raise the blocking PL to 2 as well. And then to the next step. The advantage of this process is that without the executing PL setting, you would dive into a higher PL without knowing the new false positives in advance and you would probably have to raise the anomaly threshold for a certain transition period, thus lowering your defenses. The introduction of the execution paranoia level allows you to keep the defenses up. Cheers, Christian -- Seek simplicity, and distrust it. -- Alfred North Whitehead |
|
From: Blason R <bla...@gm...> - 2021-03-10 09:41:27
|
Thanks for heads up - but I am still confused and would take this up with offline. Though this is not the correct forum I might not spam this list. On Wed, Mar 10, 2021 at 12:46 PM Christian Folini < chr...@ne...> wrote: > Hey Blason, > > On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote: > > I am really looking at everywhere but unable to find the exact > information. > > I am struggling to find how do I increase Paranoia level gradually? > > I really dont see settings in configuration or might have overlooked? but > > can someone can help me understanding the procedure? > > You have probably overlooked the explanation it in crs-setup.conf. > > There are two values involved: > > - tx.paranoia_level > This is the PL that we are going to block in. We thought about renaming > this to tx.blocking_paranoia_level, but then we thought it would have > been too cumbersome on the users. > - tx.executing_paranoia_level > This is the PL of the rules that we are going to execute. It is greater > or equal to tx.paranoia_level. > > So with these two settings, you can block on PL1, but execute PL2, tune > away > the false positives of PL2 and then raise the blocking PL to 2 as well. > And then to the next step. > > The advantage of this process is that without the executing PL setting, you > would dive into a higher PL without knowing the new false positives in > advance and you would probably have to raise the anomaly threshold for > a certain transition period, thus lowering your defenses. The introduction > of the execution paranoia level allows you to keep the defenses up. > > Cheers, > > Christian > > > -- > Seek simplicity, and distrust it. > -- Alfred North Whitehead > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
Thanks for helping keep SourceForge clean.
X