On Mon, Apr 4, 2011 at 9:19 AM, <[email protected]> wrote: > Hi there, > > Let me be the devil's advocate: I think SecRuleEngine should be set to "On". > Starting with "DetectionOnly" is the sure path > to stay at that level.
Hi Christian, I understand where your coming from but I think it really depends on the intended use case. Your argument assumes that enabling the SecRuleEngine is **the** ideal scenario, this may not always be the case. While it may be a common practice, stopping malicious traffic is a sure fire way to advertise your running a WAF, which then leads to attackers modifying their payloads to elude your ruleset/engine which may or may not be subsequently caught. By only monitoring suspicious payloads, malicious users are less likely to send obfuscated attacks intended to bypass ModSecurity. -- - Josh >You'll see a lot of false positives. But since the service is not affected, >you postpone the > fixes and the tuning > effort until you find the time, which never happens. > > Leaving it at "DetectionOnly" gives you a nice monitoring and debugging > engine, but no protection. > > If you start with "On", your service is likely to be heavily affected and you > have to fix the false positives immediately. > Once you've done that you have a well-protected site in a very short time > period. > > "On" is the rocky road but the successful one. > > Regs, > > Christian > > > > > > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]] Im Auftrag > von Ryan Barnett > Gesendet: Freitag, 1. April 2011 17:36 > An: [email protected]; > [email protected] > Betreff: [Owasp-modsecurity-core-rule-set] A Recommended Base Configuration - > SecRuleEngine > > Reference Manual: > http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecRuleEngine > > Current setting: > > # Enable ModSecurity, attaching it to every transaction. Use detection > # only to start with, because that minimises the chances of post-installation > # disruption. > # > SecRuleEngine DetectionOnly > > > Rationale: > When first adding in ModSecurity, you want to minimize any disruptions to > traffic until you get a handle on how your configs/rules will respond to your > traffic. This setting allows SecRules to trigger events but not take any > disruptive actions. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
