We will start another discussion topic on the concepts of of individual rule Severity Levels and their associated anomaly scores.
The problems that I see here are that, if the accuracy levels of the individual rules are not adequate (too many false positives), then having the severity levels in traditional/anomaly scoring be the same does not seem right. Anomaly scoring mode allows you to set a threshold for blocking that is right for your particular blocking tolerance. By adjusting the threshold up a bit, it indirectly allows for a false positive hit and still block if the transaction is "bad" enough. I think we need to complete the idea of adding in the following tags to each rule - * MATURITY * ACCURACY Reference this previous thread - https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-May/000773.html -Ryan From: Lucas Ferreira <lis...@sapao.net<mailto:lis...@sapao.net>> Date: Mon, 13 Feb 2012 11:49:54 -0600 To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] [Rule Update - Discussion Thread] Traditional vs. Anomaly Scoring Mode Concepts We started with anomaly scoring and then slowly adjusted the thresholds. The thresholds should equivalent to the traditional mode nowadays. Regards, Lucas On Mon, Feb 13, 2012 at 12:17, Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> wrote: Reference this blog post - http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html How do you run the ModSecurity CRS? Do you use traditional or anomaly scoring mode? Do you have any recommendations for making it easier to run the CRS in either mode and allowing easy switching between the modes? -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Homo sapiens non urinat in ventum. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
