Should we add a "ctl:ruleEngine=On" to all the "allow" rules (900042, 900043, 999005 and 999006) in modsecurity_crs_10_ignore_static.conf?
The reason being that when running in DetectionOnly mode, these rules are effectively ignore and so performance is WORSE in detection only mode. DetectionOnly will also potentially flag rules that will never be hit when running in full On mode, as these rules will allow those requests. To me DetectionOnly mode should be the same as full On, except without blocking and currently it is not for these rules. A bigger question is whether "allow" should be considered disruptive in ModSecurity itself but I think improving the OWASP CRS is a smaller step than that. Thanks, Barry _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
