Thread: [mod-security-users] Selective "DetectionOnly"
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Ed G. <ED...@ha...> - 2017-12-22 13:40:12
|
Hi Folks, Once we have our rules in blocking, rather than DetectionOnly mode, we'd like to start reviewing some of our whitelisted rules. Is it possible to bring individual rules back but in detection only, or is that an all-or-nothing setting? Can somebody give an example of how to set this up? Thanks, Ed -- Ed Greenberg | Web Developer and LInux System Administrator ________________________________ HAPPY Software, Inc. l Work HAPPY-er! t. 888-484-2779 l f. 518-584-5388 This message and any of its attachments are intended only for the use of the designated recipient, or the recipient’s designee, and may contain information that is confidential or privileged. If you are not the intended recipient, please immediately notify HAPPY Software, Inc., delete all copies of the message and any attachments and do not disseminate or make any use of their contents. |
|
From: Christian F. <chr...@ne...> - 2017-12-22 17:07:44
|
Hey Ed, The way I write the whitelisting rules I use in production is that I separate the rules from the action. That way I can switch the action lever (detection / blocking) with a single config item. I do not see any conceptual problem to use multiple variables to track violations. One for the final blocking action and one for the final log-only action. Best, Christian On Fri, Dec 22, 2017 at 01:39:59PM +0000, Ed Greenberg wrote: > Hi Folks, > > Once we have our rules in blocking, rather than DetectionOnly mode, > we'd like to start reviewing some of our whitelisted rules. Is it > possible to bring individual rules back but in detection only, or is > that an all-or-nothing setting? Can somebody give an example of how to > set this up? > > Thanks, > > Ed > > -- > > Ed Greenberg | Web Developer and LInux System Administrator > __________________________________________________________________ > > HAPPY Software, Inc. l Work HAPPY-er! > t. 888-484-2779 l f. 518-584-5388 > This message and any of its attachments are intended only for the use > of the designated recipient, or the recipient’s designee, and may > contain information that is confidential or privileged. If you are not > the intended recipient, please immediately notify HAPPY Software, Inc., > delete all copies of the message and any attachments and do not > disseminate or make any use of their contents. > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Ed G. <ED...@ha...> - 2017-12-22 17:13:14
|
On Fri, 2017-12-22 at 18:07 +0100, Christian Folini wrote: Hey Ed, The way I write the whitelisting rules I use in production is that I separate the rules from the action. That way I can switch the action lever (detection / blocking) with a single config item. I do not see any conceptual problem to use multiple variables to track violations. One for the final blocking action and one for the final log-only action. Best, Christian Christian, could you post an example of this? Thanks, -- Ed Greenberg | Web Developer and LInux System Administrator ________________________________ HAPPY Software, Inc. l Work HAPPY-er! t. 888-484-2779 l f. 518-584-5388 This message and any of its attachments are intended only for the use of the designated recipient, or the recipient’s designee, and may contain information that is confidential or privileged. If you are not the intended recipient, please immediately notify HAPPY Software, Inc., delete all copies of the message and any attachments and do not disseminate or make any use of their contents. |
|
From: Christian F. <chr...@ne...> - 2017-12-22 17:29:16
|
Ed, On Fri, Dec 22, 2017 at 05:13:02PM +0000, Ed Greenberg wrote: > Christian, could you post an example of this? Sorry. I'd rather not do that. There are 2-3 recipes that I keep for my customers. At least for now. :) But basically it's my standard whitelist recipe used in the book and on netnea.com and whereever there is a deny, you do a log + setvar instead. And then at the end you evaluate the variable - or two separate variables in your case. Ahoj, Christian -- Anyone who takes himself too seriously always runs the risk of looking ridiculous; anyone who can consistently laugh at himself does not. -- Václav Havel |
|
From: Ed G. <ED...@ha...> - 2017-12-22 17:31:57
|
On Fri, 2017-12-22 at 18:29 +0100, Christian Folini wrote: Ed, On Fri, Dec 22, 2017 at 05:13:02PM +0000, Ed Greenberg wrote: Christian, could you post an example of this? Sorry. I'd rather not do that. There are 2-3 recipes that I keep for my customers. At least for now. :) But basically it's my standard whitelist recipe used in the book and on netnea.com and whereever there is a deny, you do a log + setvar instead. And then at the end you evaluate the variable - or two separate variables in your case. Ahoj, Christian Good explanation. I'll give that a try, and post a success or failure. -- Ed Greenberg | Web Developer and LInux System Administrator ________________________________ HAPPY Software, Inc. l Work HAPPY-er! t. 888-484-2779 l f. 518-584-5388 This message and any of its attachments are intended only for the use of the designated recipient, or the recipient’s designee, and may contain information that is confidential or privileged. If you are not the intended recipient, please immediately notify HAPPY Software, Inc., delete all copies of the message and any attachments and do not disseminate or make any use of their contents. |
|
From: Christian F. <chr...@ne...> - 2017-12-22 17:35:46
|
On Fri, Dec 22, 2017 at 05:31:46PM +0000, Ed Greenberg wrote: > Good explanation. I'll give that a try, and post a success or failure. That's a plan. Good luck! Christian > > > > -- > > Ed Greenberg | Web Developer and LInux System Administrator > __________________________________________________________________ > > HAPPY Software, Inc. l Work HAPPY-er! > t. 888-484-2779 l f. 518-584-5388 > This message and any of its attachments are intended only for the use > of the designated recipient, or the recipient’s designee, and may > contain information that is confidential or privileged. If you are not > the intended recipient, please immediately notify HAPPY Software, Inc., > delete all copies of the message and any attachments and do not > disseminate or make any use of their contents. > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
Thanks for helping keep SourceForge clean.
X