Recording maturity and accuracy would be a useful classification, but I see that accuracy will depend on context. Still, it might be useful to be able to only include anomaly scoring values from rules that surpass certain maturity and/or accuracy thresholds, plus the ability to force include and force exclude additional rules.
Colin On 13 February 2012 18:15, Ryan Barnett <rbarn...@trustwave.com> wrote: > We previously introduced this concept - > https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-May/000773.html > > The idea is to designate both MATURITY and ACCURACY levels of each rule. The > benefits of this approach are obvious as users would then be able to easily > disable entire groups of rules by using SecRuleRemoveByTag. > > The issue I see are that we, SpiderLabs, have absolutely no insight into how > these rules are working in your environments. The only way that we know that > a particular rule is not working well is - > > 1. If you send a note to the mail-list. We do have a mail-list setup just > for reporting false positives - > https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives. > I guess we need to be more vigilant in redirecting FP emails to that list > instead. > 2. If you open a JIRA ticket for the CRS - > https://www.modsecurity.org/tracker/browse/CORERULES > > We need help from the community in reporting back accuracy issues with rules. > If you have any good ideas for getting details on false positives let me > know. > > -- > Ryan Barnett > Trustwave SpiderLabs > ModSecurity Project Leader > OWASP ModSecurity CRS Project Leader > > ________________________________ > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
