On 02 Feb 2016, at 09:32, Christian Folini <christian.fol...@netnea.com> wrote:
>
> With 960017 / 920350 (Host header is a numeric IP address),
> the situation is slightly different. We agree it is a frequent
> source of false positives, but Walter thinks it is not legitimate
> users that are affected, but mass scanners. In my experience
> it is load balancers and health checkers which fall into this
> category as well. And stopping scanners is possibly behind the
> scope of a ModSec Core Rules vanilla install.
>
> So what do we do with this rule?
I don’t disagree with you. I didn’t discourage moving it to paranoid, that
would be no problem at all.
In my logs I only see mass scanners trying this, and there is one vendor
appliance which is doing “compliance” checks on an IP address constantly. This
appliance annoys me: you don’t even know my HOSTNAME and you make claims about
my site actually being working and compliant? And people pay money for that? I
like blocking that thing out of spite, but that’s just personal.
Anyway, you’ve given some good cases for allowing IP addresses, it’s not too
controversial.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
