Hey Christian, Thanks for the awesome breakdown! We've really seen some of the older issues rear some nasty levels of false positives which as you noted was the reason behind many of these. However, based on your findings I'm open to including a more false-positive prone file that is maybe only anomaly based featuring some of the rules that have been taken out. (we've been talking about this already). There are other options also (see below) Additionally I have it on my list to defang 950907 just a bit as its EXTEREMLY overzealous. I'm surprised about the XSS rules as most of them were combined into single regex's (for speed reasons) I'll have to take a look We feel your concern about LibInjection but the concept seems to work and is used currently by a number of major WAF's. We can work with the author on a code review if this is something we want to prioritize. In terms of the 990012, I think this is something we should probably be able to add back, I'll submit a pull request sometime this week.
Thoughts from you, others? Do you think the false-positives file is the best way to handle it or do you think these belong in their respective files with a HUGE warning. The last thing we want is people complaining about false positives and eliminating those three rules has gone a LONG way. I think putting them in anomaly only isn't a horrible idea, I'm glad you did a look at anomaly scoring, this is always a little bit of a dark art. On the new one in some places we've set it up we bumped it up to 7 but it is usually below 10. Also there are now multiple different anon scoring areas. We should resolve this quickly as I'd like to try and have an RC1 of 3.x by mid-February. Thoughts on that as well. Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com -----Original Message----- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Christian Folini Sent: Monday, December 21, 2015 12:34 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] Comparing 2.2.9 and 3.0.0-dev Dear all, The CRS 3.0.0-dev is in the making bringing a lot of new features and new rules. I tried to understand the differences and wrote a blog post about it. http://scanmail.trustwave.com/?c=4062&d=2JX31uvfAV09c2P0_qCM5MP7s2dUhDPQ0reFkp-Msg&s=5&u=https%3a%2f%2fwww%2enetnea%2ecom%2fcms%2f2015%2f12%2f20%2fmodsec-crs-2-2-x-vs-3-0-0-dev%2f If you are using the core rules, this will interest you. There are nice new rules, but based on my tests, it looks like we are also losing a lot of alerts. I would love to have your feedback on this. Ideally here on the mailinglist, but feel free to ping me via mail or twitter. Christian Folini, @ChrFolini -- Seek simplicity, and distrust it. -- Alfred North Whitehead _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org http://scanmail.trustwave.com/?c=4062&d=2JX31uvfAV09c2P0_qCM5MP7s2dUhDPQ0uDTycuMvw&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
