Hello again, On Sun, Feb 07, 2016 at 03:22:03PM +0100, Walter Hop wrote: > In my logs I only see mass scanners trying this, and there is one vendor > appliance which is doing “compliance” checks on an IP address constantly. > This appliance annoys me: you don’t even know my HOSTNAME and you make claims > about my site actually being working and compliant? And people pay money for > that? I like blocking that thing out of spite, but that’s just personal.
It's totally true that it's an annoying practice and should be stopped. But if you look at it with the eyes of a newbie ModSec user, he will see a lot of FPs in this class, which block the view on the more severed alerts. Not necessarily by score, but by sheer number of alerts. Moving it to paranoia mode would free the view on the more important exceptions. > Anyway, you’ve given some good cases for allowing IP addresses, it’s not too > controversial. Thanks. On Sun, Feb 07, 2016 at 03:30:39PM +0000, Chaim Sanders wrote: > It's kind of a mixed bag because we still want ModSecurity to be effective at > blocking the easy rift raft (opportunistic attackers) but we want it to be > easy to configure. Perhaps we make a 'domain name' configuration in the > setup.conf and if it has been configured the rule comes into effect. I don't > know that IF they have a domain we see too many false positives, most are > things that as walter described, are just laziness. Thoughts? Why don't we simply move it to paranoia mode? Instead of having to understand the additional "domain name" config, a user simply raises the paranoia level and ends up with more positives and if he thinks some of these requests are leggit/FPs, he will whitelist them. That would have the same effect as the "domain name" configuration but with a more generic tuning process. Ahoj, Christian -- It must be obvious... that there is a contradiction in wanting to be perfectly secure in a universe whose very nature is momentariness and fluidity. -- Alan Watts _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
