Hi there, Let me be the devil's advocate: I think SecRuleEngine should be set to "On". Starting with "DetectionOnly" is the sure path to stay at that level. You'll see a lot of false positives. But since the service is not affected, you postpone the fixes and the tuning effort until you find the time, which never happens. Leaving it at "DetectionOnly" gives you a nice monitoring and debugging engine, but no protection.
If you start with "On", your service is likely to be heavily affected and you have to fix the false positives immediately. Once you've done that you have a well-protected site in a very short time period. "On" is the rocky road but the successful one. Regs, Christian -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Ryan Barnett Gesendet: Freitag, 1. April 2011 17:36 An: [email protected]; [email protected] Betreff: [Owasp-modsecurity-core-rule-set] A Recommended Base Configuration - SecRuleEngine Reference Manual: http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecRuleEngine Current setting: # Enable ModSecurity, attaching it to every transaction. Use detection # only to start with, because that minimises the chances of post-installation # disruption. # SecRuleEngine DetectionOnly Rationale: When first adding in ModSecurity, you want to minimize any disruptions to traffic until you get a handle on how your configs/rules will respond to your traffic. This setting allows SecRules to trigger events but not take any disruptive actions. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
