Walter, On Wed, Jan 06, 2016 at 03:10:29PM +0100, Walter Hop wrote: > I’m absolutely interested in this. I’ve wanted to look at CRS v3, but I’ve > been hesitant to try it, mostly because I actually like the paranoia of v2. I > think it would be very good to facilitate both modes of operation: > > 1) General virtual hosting scenario where the admin doesn’t control the > enduser webapps and doesn’t necessarily have high-level ModSecurity > knowledge. You want to be conservative on false positives and you want very > few knobs to tweak. If there is enough confidence that this would protect > against almost all attacks, it should probably be the default in order to > make the CRS more useful to more people. > > 2) Users who control the complete web app, have a good feedback loop/in-depth > monitoring, and have the knowledge and processes to do good whitelisting of > false positives. This is mostly my scenario and so I want the WAF to really > be as strict as it possibly could be, and I’ll deal with the fallout.
That's exactly my thinking as well. The CRS 2.2.x leaned towards the 2nd use case, with the new CRS in the development moving towards the first one. This is a good thing, but we want to retain (2) as an option for the advanced users. > So I think this idea is awesome, maybe I can help some bit, let me know. I got a few private responses to my message. So we have a little project team and more news will be posted to this mailinglist shortly. > - An advantage of adding optional stricter rules, by keeping the CRS v2 > SQL/XSS rules, is that they could possibly run earlier than the libinjection > rules (including a blocking decision), and this might actually prevent > bypasses or exploits against libinjection if you’re concerned about it, for > example by blocking input that’s totally unreasonable. That's an interesting thought. Also in the light of the idea to have more granular phases in ModSec. What I have a hard time imagining is a clear decision on "totally unreasonable" input. If I want to attack libinjection, then I would try and avoid the "totally unreasonable" rule. But let's keep the idea in mind. Maybe as a blocking decision after phase 1. > - I wouldn’t even call ‘2’ paranoia mode. I think of it more as “relaxed > mode” and “strict mode”. I think this naming would motivate people more to > experiment with the strict mode. I think it’s absolutely reasonable to run in > this mode and people who know their apps and have the resources to babysit > the WAF a bit should not be demotivated to try it. While I think it should be called paranoia mode, you are not the only one with this opinion. It is an important question. But it is also a fairly dangerous question, as it could lead to lengthy non-technical discussions (that's where everybody has an opinion and the cost to make oneself heard are minimal). So I would want to push this decision back a few weeks. Let's get the work done first and talk about naming afterwards. Ahoj, Christian -- The reasonable man adapts himself to the world; the unreasonable man persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man. -- George Bernard Shaw _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
