Ryan, to automate (and more, to stimulate) the tracking false positive, like Christian, I believe that the best way is to rely on consoles like Waf-Fle and AuditConsole, this is easy to implement. But most important, it need to be easy to the user, so that he/she can send a anonymized fp, can to include some user commentary. Used this way, I believe that it shouldn't send to mailing-list, once that it can become more "popular", a centralized and rule-id indexed target can be more objective (I don't know if Jira can do this), and allow a fast detection of what is "hot" as false positive (helping in a automatic ranking of accuracy/maturity), helping in to attack what is creating more fp first.
Best regards, Klaubert On Mon, Feb 13, 2012 at 8:20 PM, Ryan Barnett <rbarn...@trustwave.com>wrote: > > On 2/13/12 4:56 PM, "Christian Bockermann" <ch...@jwall.org> wrote: > > > > (3) Usage Statistics > > > > Ryan once provided the idea of gathering usage statistics on rules. > >Some central > > place to simply collect "the hits for rule X", "the average TX-score > >per request" > > or the like. > > Would anyone be interested in sharing such data if a central place > >would exist? > > > > I shortly discussed the option to include some > >"report-false-positive" button > > into the AuditConsole. That might e.g. send a report including an > >obfuscated audit > > event to the false-positive-report-mailing list. > > Would anyone use such a thing? > > What kind of information is one willing to provide? > > > > If there is a requirement of having a central place/application to > >gather such > > information, I'd be interested to come to assistance. > > I would love to have a more automated method of gathering rule statistics > and accuracy issues. As I mentioned, users can currently either send an > email to the mod-security-report-false-positi...@lists.sourceforge.net > mailing list or create a JIRA ticket. We created the mail-list because we > figured it would be easier for someone to shoot off an email rather having > to log into JIRA and create a ticket. > > I am open to any ideas that the community has for better identifying how > rules work and any false positives. > > -Ryan > > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
