On 4/4/11 2:19 AM, "[email protected]" <[email protected]> wrote:
>Hi there, > >Let me be the devil's advocate: I think SecRuleEngine should be set to >"On". Starting with "DetectionOnly" is the sure path >to stay at that level. You'll see a lot of false positives. But since the >service is not affected, you postpone the fixes and the tuning >effort until you find the time, which never happens. > >Leaving it at "DetectionOnly" gives you a nice monitoring and debugging >engine, but no protection. > >If you start with "On", your service is likely to be heavily affected and >you have to fix the false positives immediately. >Once you've done that you have a well-protected site in a very short time >period. > >"On" is the rocky road but the successful one. Hey Christian, There are certainly scenarios that end up playing out as you outlined, however for the purposes of this thread, we have to go by the percentages. The vast majority of users don't want to disrupt normal traffic when initially implementing ModSecurity. From a commercial perspective, adding in *any* WAF makes business owners nervous as they don't ever want to block legit traffic. Having the SecRuleEngine set to DetectionOnly helps the WAF advocate to get approval to deploy ModSecurity with the assurance that it won't block traffic until a data sample has been gathered and analyzed. As a reference, this tweets was just seen today "Fixing problems on a server due to mod_security being way too freaking strict and pissing a few customers off." Unfortunately, most users don't have the time and/or skill set to fully review any ModSecurity ruleset to understand exactly what the rules will look for and how they look for them. Almost all users want to just plug it in and see how it works. We used to have the SecFilterEngine/SecRuleEngine set to On and we go too many complaints... :) -Ryan > >Regs, > >Christian > > > > > >-----Ursprüngliche Nachricht----- >Von: [email protected] >[mailto:[email protected]] Im >Auftrag von Ryan Barnett >Gesendet: Freitag, 1. April 2011 17:36 >An: [email protected]; >[email protected] >Betreff: [Owasp-modsecurity-core-rule-set] A Recommended Base >Configuration - SecRuleEngine > >Reference Manual: >http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referen >ce_Manual#SecRuleEngine > >Current setting: > ># Enable ModSecurity, attaching it to every transaction. Use detection ># only to start with, because that minimises the chances of >post-installation ># disruption. ># >SecRuleEngine DetectionOnly > > >Rationale: >When first adding in ModSecurity, you want to minimize any disruptions to >traffic until you get a handle on how your configs/rules will respond to >your traffic. This setting allows SecRules to trigger events but not >take any disruptive actions. > >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
