It's kind of a mixed bag because we still want ModSecurity to be effective at blocking the easy rift raft (opportunistic attackers) but we want it to be easy to configure. Perhaps we make a 'domain name' configuration in the setup.conf and if it has been configured the rule comes into effect. I don't know that IF they have a domain we see too many false positives, most are things that as walter described, are just laziness. Thoughts?
From: <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>> on behalf of Walter Hop <mod...@spam.lifeforms.nl<mailto:mod...@spam.lifeforms.nl>> Date: Sunday, February 7, 2016 at 9:22 AM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Controversial candidate 960015 / 920300 and 960017 / 920350 (Header issues) On 02 Feb 2016, at 09:32, Christian Folini <christian.fol...@netnea.com<mailto:christian.fol...@netnea.com>> wrote: With 960017 / 920350 (Host header is a numeric IP address), the situation is slightly different. We agree it is a frequent source of false positives, but Walter thinks it is not legitimate users that are affected, but mass scanners. In my experience it is load balancers and health checkers which fall into this category as well. And stopping scanners is possibly behind the scope of a ModSec Core Rules vanilla install. So what do we do with this rule? I don't disagree with you. I didn't discourage moving it to paranoid, that would be no problem at all. In my logs I only see mass scanners trying this, and there is one vendor appliance which is doing "compliance" checks on an IP address constantly. This appliance annoys me: you don't even know my HOSTNAME and you make claims about my site actually being working and compliant? And people pay money for that? I like blocking that thing out of spite, but that's just personal. Anyway, you've given some good cases for allowing IP addresses, it's not too controversial. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
