Dear Christian,
Dear all,
Very clear and reasoned writing!
I see a benefit to choose the numbering of the paranoia level between 0 and 40.
It’s distinguishable from the anomaly scoring and does not lead to
misunderstanding.
Default set to 10 sounds good for me.
But I also see Chaim’s point not to leave that space.
Another question:
If we clone rules to stricter siblings, we’ll produce a lot of log entries.
Requests with more than 5 special characters and a paranoia level of
40 will create three distinct log-entries in turn.
Is that the behavior that we want?
Maybe we have to write the siblings in a way that only one rule
matches, even at a high paranoia level?
Example: SecRule ARGS_NAMES|ARGS|XML:/*
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){3,4}"
\
Regards,
Franziska
2016-02-09 5:53 GMT+01:00 Chaim Sanders <csand...@trustwave.com>:
> Thanks Noel!
> I will say @Christian that every time we leave space we never end up using
> the space we leave I¹d vote for just 0-4, but it is just one mans opinion.
>
> On 2/8/16, 11:20 PM,
> "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of Noël
> Zindel" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf
> of m...@noelzindel.org> wrote:
>
>>Hi everyone,
>>
>>let me chime in on this.
>>
> >From a newbie perspective, I¹d argue, the 0-4 definition would make sense
>>since it would be a logical choice.
>>You should be able to easily distinct between the paranoia rating and the
>>anomaly rating through the latter¹s variable-definition e.g. warning,
>>critical, Š
>>
>>Nevertheless, Christian¹s argument ³If we leave some room between the
>>numbers, we have room to fill them in the future.² favours 0-40.
>>At least for me, since I like the idea of planning way ahead.
>>
>>So, from my point of view, a range of 0-40 would be the favourable
>>choice. But, it¹s arbitrary nature would require a well-curated
>>documentation.
>>
>>It¹s good to see the community¹s commitment on this and I hope to be of
>>any help.
>>
>>Cheers,
>>Noël
>>
>>> On 08 Feb 2016, at 22:12, Christian Folini
>>><christian.fol...@netnea.com> wrote:
>>>
>>> Thanks Chaim and Lukas!
>>>
>>> I got positive feedback via private messages too.
>>>
>>> The one question, where I am still unsure (and the
>>> feedback / criticism is also split) is the question
>>> of the good integer range for the paranoia level.
>>> 0-4 or rather 0-40.
>>>
>>> Still not sure.
>>>
>>> Thoughts on this question are thus very welcome.
>>>
>>> Ahoj,
>>>
>>> Christian
>>>
>>>
>>> On Mon, Feb 08, 2016 at 02:31:47PM +0000, Chaim Sanders wrote:
>>>> Good writeup Christian!
>>>>
>>>> On 2/8/16, 2:59 AM,
>>>> "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of
>>>> Funk, Lukas" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org
>>>>on
>>>> behalf of lukas.f...@united-security-providers.ch> wrote:
>>>>
>>>>> Hi Christian and all,
>>>>>
>>>>> I follow the discussion about the paranoia mode with great interest. I
>>>>> think it could be a good starting point for ModSecurity users which do
>>>>> not have the expert knowledge of the rules.
>>>>>
>>>>> Looking at your proposed structure of the paranoia mode setup, I think
>>>>> it's on a good track. The structure is easy to understand!
>>>>> Unfortunately I can't comment the different rules, as I don't have
>>>>>much
>>>>> experience with them.
>>>>>
>>>>> Thanks to all of you putting such great effort to the CRS and I'm
>>>>>really
>>>>> looking forward to version 3!
>>>>>
>>>>> Cheers, Lukas
>>>>>
>>>>>
>>>>>>> Dear all,
>>>>>>>
>>>>>>> With the progress we are making on the rules front, it is time to
>>>>>>>talk
>>>>>>> about
>>>>>>> the way it could be implemented.
>>>>>>> It's time for the show-me-the-code. He you go:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>http://scanmail.trustwave.com/?c=4062&d=tN-41hG4qCjBMKf0XEE90boFBx23N
>>>>>>>XMA
>>>>>>>
>>>>>>>8kit7zcE9Q&s=5&u=https%3a%2f%2fwww%2enetnea%2ecom%2fcms%2f2016%2f02%2
>>>>>>>f04
>>>>>>> %2fowasp-modsecurity-core-rules-
>>>>>>> paranoia-mode-mechanics-proposal/
>>>>>>>
>>>>>>> Feedback welcome!
>>>>>>>
>>>>>>> Christian
>>>>
>>>>
>>>> ________________________________
>>>>
>>>> This transmission may contain information that is privileged,
>>>>confidential, and/or exempt from disclosure under applicable law. If
>>>>you are not the intended recipient, you are hereby notified that any
>>>>disclosure, copying, distribution, or use of the information contained
>>>>herein (including any reliance thereon) is strictly prohibited. If you
>>>>received this transmission in error, please immediately contact the
>>>>sender and destroy the material in its entirety, whether in electronic
>>>>or hard copy format.
>>>> _______________________________________________
>>>> Owasp-modsecurity-core-rule-set mailing list
>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>>>>
>>>>http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPVd
>>>>MSLLMAERYA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%
>>>>2fowasp-modsecurity-core-rule-set
>>>
>>> --
>>> mailto:christian.fol...@netnea.com
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPVdM
>>>SeebAdKbQ&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech
>>> twitter: @ChrFolini
>>> _______________________________________________
>>> Owasp-modsecurity-core-rule-set mailing list
>>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPVdM
>>>SLLMAERYA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2f
>>>owasp-modsecurity-core-rule-set
>>
>
>
> ________________________________
>
> This transmission may contain information that is privileged, confidential,
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is strictly prohibited. If you received this transmission
> in error, please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format.
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
