Barry, Thanks for chiming in. The more people, the better decisions we will make.
On Sun, Feb 07, 2016 at 09:40:20PM +0000, Barry Pollard wrote: > In my opinion there are few real world examples of people intentionally using > IP address over hostname and the website owner should know them all (e.g. > Load balancers, health checkers and internal system scanners). It's easy to > whitelist those specific systems. This is going to be anecdotal evidence, but I think it is not uncommon to have - 2 LBs (polling every 5 seconds each) - service monitor (polling once a minute) - 2 sysadmins configuring some kine of online uptime monitor privately in order to get an alarm ahead of time via text if something is amiss. (polling every then seconds) And all via the IP address. If you have two redundant servers, you easily get 60-70 alerts per minute. But maybe the setups I know are just crazy. In the end, I can live with this rule in standard mode or in paranoia mode. And it's not like it's hard to tune. It's just terrifying when it happens for the first time. Cheers, Christian > > So anything else using IP address is likely a bot iterating through IP > addresses and I do think they represent a threat and not just an annoyance > and so the CRS should block by default. > > I also found it eye opening the amount of scanners hitting my sites when I > turned ModSecurity on for the first time. Now granted most has likely been > scanning my site for years with no issues, and they can cause people to panic > when they see the sheer volume for first time, but I still think enlightening > none the less. > > So I'd be more in favour of leaving this in normal mode. Perhaps adding some > commented out examples of how to whitelist certain IP addresses from this (or > all?) rule(s) if it really is that common a problem that people get > overwhelmed by their internal systems using IP address. > > Thanks, > Barry > > P.S. Some great discussions going on. Great to see! > > > On 7 Feb 2016, at 20:32, Christian Folini <christian.fol...@netnea.com> > > wrote: > > > > Hello again, > > > >> On Sun, Feb 07, 2016 at 03:22:03PM +0100, Walter Hop wrote: > >> In my logs I only see mass scanners trying this, and there is one vendor > >> appliance which is doing “compliance” checks on an IP address constantly. > >> This appliance annoys me: you don’t even know my HOSTNAME and you make > >> claims about my site actually being working and compliant? And people pay > >> money for that? I like blocking that thing out of spite, but that’s just > >> personal. > > > > It's totally true that it's an annoying practice and > > should be stopped. But if you look at it with the > > eyes of a newbie ModSec user, he will see a lot of > > FPs in this class, which block the view on the more > > severed alerts. Not necessarily by score, but by sheer > > number of alerts. > > > > Moving it to paranoia mode would free the view on the > > more important exceptions. > > > >> Anyway, you’ve given some good cases for allowing IP addresses, it’s not > >> too controversial. > > > > Thanks. > > > >> On Sun, Feb 07, 2016 at 03:30:39PM +0000, Chaim Sanders wrote: > >> It's kind of a mixed bag because we still want ModSecurity to be effective > >> at blocking the easy rift raft (opportunistic attackers) but we want it to > >> be easy to configure. Perhaps we make a 'domain name' configuration in the > >> setup.conf and if it has been configured the rule comes into effect. I > >> don't know that IF they have a domain we see too many false positives, > >> most are things that as walter described, are just laziness. Thoughts? > > > > Why don't we simply move it to paranoia mode? Instead of having to > > understand the additional "domain name" config, a user simply raises the > > paranoia level and ends up with more positives and if he thinks > > some of these requests are leggit/FPs, he will whitelist them. > > That would have the same effect as the "domain name" configuration > > but with a more generic tuning process. > > > > Ahoj, > > > > Christian > > > > > > -- > > It must be obvious... that there is a contradiction in wanting to > > be perfectly secure in a universe whose very nature is momentariness and > > fluidity. > > -- Alan Watts > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
