I'll try sending to the whole list instead of just Ryan :-( ---------- Forwarded message ---------- From: chris derham <[email protected]> Date: Fri, Apr 8, 2011 at 1:30 PM Subject: Re: [Owasp-modsecurity-core-rule-set] A Recommended Base Configuration - SecRuleEngine To: Ryan Barnett <[email protected]>
All, Was on leave so only just joining in the fun discussing the options. I have only been using mod security for the last 4 months. I can still remember installing it onto an apache server, and then running it and seeing nothing. I remember that it seemed very strange that it wasn't turned on. Comparing with other pieces of software, I do not know of any that you have to install, and then to actually switch on for them to work. I don't think that I am about to add anything to the prior discussion, but having seen all the other posts, which all brought up valid arguments, I guess I'd agree that off makes no sense. detect only seems like a prudent default. At least if that is the default, people can monitor the logs and then switch on when happy of no false positives One thing I did take issue with in the discussions was the following > Your argument assumes that enabling the > SecRuleEngine is **the** ideal scenario, this may not always be the > case. While it may be a common practice, stopping malicious traffic is > a sure fire way to advertise your running a WAF, which then leads to > attackers modifying their payloads to elude your ruleset/engine which > may or may not be subsequently caught. By only monitoring suspicious > payloads, malicious users are less likely to send obfuscated attacks > intended to bypass ModSecurity. 1) Please understand I just want to discuss this point, and am not bad-mouthing the poster. 2) surely given the potential for problems in websites, e.g. xss that is no such thing as "only monitoring suspicious payloads" - any part of the website could be compromised and as such there isn't a safe/unsafe split. 3) if there is a flaw in a webserver, and the bad-guys want to abuse your server with it, then when the bad-guys spot that it doesn't work on your server, they will deduce you have a WAF. They are quite bright after all. At this point, the cat and mouse game begins. As I said, I've only been working with mod security for a few months, but surely in this case, the only thing to do is to hope that - they get bored and go somewhere else - your white list rules stop the bad guys while they are attempting to get in - your proactive monitoring catches anything that they do manage to get through So I guess what I am trying to ask, is should you only detect parts of the website with mod security, or protect it all? We just went live with a system and we used the latter Thanks Chris
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
