I am separating out these discussion topics into separate emails for better tracking purposes.
Comments inline below. On 2/13/12 4:56 PM, "Christian Bockermann" <ch...@jwall.org> wrote: >Hi Ryan, hi all, > >my experience with the core-rules is only limited. I installed the rules >and tweaked >them to match my needs and generally use my own rules for research/toy >purposes. Based >on that limited experience, I'd like to start the discussion a little >beforehand, as I >believe the fundamentals need to be *right* and *transparent* before >mangling the >existing rules into more complicated ones. > >So, I'd like to start with what I am missing a bit in the current rule >sets, trying to >compile a list of objectives we should all agree upon, before getting our >hands dirty: > > > (1) Transparency > > To a high degree the concept of the rules need to be transparent to >the user. If > it takes one more than two days, to read/understand the structure of >the rules, it > might shrug people off from using the rules in the first step. > Likewise, the outcome (alerts) of the rules needs to be >understandable to anyone. > > The switch from the old (pre 2.x) version to anomaly scoring was a >good idea, but > the communication was suboptimal. > > Any central place where we have a documentation on the scale of the >anomaly score? > What is a "good" threshold meant to be? Can we fix this beforehand? >Can you share > experiences with tests, e.g. the average score when hitting some app >with sqlmap? > How are the severity levels being used? I know they exist, but I do >not have a clue > on how consistent and with which intention they're spread in the >rules. I agree that we need better transparency between SpiderLabs and the community which is why we are starting this effort :) What we don't want to have happen is that we suddenly make all these sweeping changes that catches the community off-guard (which admittedly is what happened in the move from CRS v1 to v2). We want collaboration with the community. We have wiki-based documentation on the SourceForge site here - https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Main_Pa ge We can certainly add in new wiki pages for these topics. We just need to agree on formatting and how to present the topics. We have a lot of source material for this in the blog posts, but I feel that the blog posts are in an unorganized state and not easily referenced by (new) users. Perhaps that is a starting point - I can create a page that lists all of the ModSecurity blog topics on a wiki page. -Ryan This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
