I agree that using the various audit console-type tools is a good approach. I am not sure what the percentage is of people that use one of these tools vs. using some other type of log analysis tool (SIEM like Splunk). Maybe if this type of functionality were added to the consoles, it would draw more people to use them.
We, SpiderLabs, could setup our own AuditConsole instance which could serve as a central FP host (give it a public DNS name like – report.modsecurity.org or something). Users could then forward these events to us. -Ryan From: Klaubert Herr da Silveira <klaub...@gmail.com<mailto:klaub...@gmail.com>> Date: Tue, 14 Feb 2012 07:03:40 -0600 To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> Cc: Christian Bockermann <ch...@jwall.org<mailto:ch...@jwall.org>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] [Rule Update - Discussion Thread] Usage Statistics Ryan, to automate (and more, to stimulate) the tracking false positive, like Christian, I believe that the best way is to rely on consoles like Waf-Fle and AuditConsole, this is easy to implement. But most important, it need to be easy to the user, so that he/she can send a anonymized fp, can to include some user commentary. Used this way, I believe that it shouldn't send to mailing-list, once that it can become more "popular", a centralized and rule-id indexed target can be more objective (I don't know if Jira can do this), and allow a fast detection of what is "hot" as false positive (helping in a automatic ranking of accuracy/maturity), helping in to attack what is creating more fp first. Best regards, Klaubert On Mon, Feb 13, 2012 at 8:20 PM, Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> wrote: On 2/13/12 4:56 PM, "Christian Bockermann" <ch...@jwall.org<mailto:ch...@jwall.org>> wrote: > > (3) Usage Statistics > > Ryan once provided the idea of gathering usage statistics on rules. >Some central > place to simply collect "the hits for rule X", "the average TX-score >per request" > or the like. > Would anyone be interested in sharing such data if a central place >would exist? > > I shortly discussed the option to include some >"report-false-positive" button > into the AuditConsole. That might e.g. send a report including an >obfuscated audit > event to the false-positive-report-mailing list. > Would anyone use such a thing? > What kind of information is one willing to provide? > > If there is a requirement of having a central place/application to >gather such > information, I'd be interested to come to assistance. I would love to have a more automated method of gathering rule statistics and accuracy issues. As I mentioned, users can currently either send an email to the mod-security-report-false-positi...@lists.sourceforge.net<mailto:mod-security-report-false-positi...@lists.sourceforge.net> mailing list or create a JIRA ticket. We created the mail-list because we figured it would be easier for someone to shoot off an email rather having to log into JIRA and create a ticket. I am open to any ideas that the community has for better identifying how rules work and any false positives. -Ryan This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
