Well it seems like everyone likes this out of 40 scale and honestly I’m
not opposed :).
On 2/9/16, 3:58 AM,
"owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of
Franziska Buehler"
<owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of
franziska.buehler.schmoc...@gmail.com> wrote:
>Dear Christian,
>Dear all,
>
>Very clear and reasoned writing!
>I see a benefit to choose the numbering of the paranoia level between 0
>and 40.
>It’s distinguishable from the anomaly scoring and does not lead to
>misunderstanding.
>Default set to 10 sounds good for me.
>But I also see Chaim’s point not to leave that space.
>
>Another question:
>If we clone rules to stricter siblings, we’ll produce a lot of log
>entries.
>Requests with more than 5 special characters and a paranoia level of
>40 will create three distinct log-entries in turn.
>Is that the behavior that we want?
>Maybe we have to write the siblings in a way that only one rule
>matches, even at a high paranoia level?
>Example: SecRule ARGS_NAMES|ARGS|XML:/*
>"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){3,4}"
>\
>
>Regards,
>Franziska
>
>2016-02-09 5:53 GMT+01:00 Chaim Sanders <csand...@trustwave.com>:
>> Thanks Noel!
>> I will say @Christian that every time we leave space we never end up
>>using
>> the space we leave I¹d vote for just 0-4, but it is just one mans
>>opinion.
>>
>> On 2/8/16, 11:20 PM,
>> "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of
>>Noël
>> Zindel" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on
>>behalf
>> of m...@noelzindel.org> wrote:
>>
>>>Hi everyone,
>>>
>>>let me chime in on this.
>>>
>> >From a newbie perspective, I¹d argue, the 0-4 definition would make
>>sense
>>>since it would be a logical choice.
>>>You should be able to easily distinct between the paranoia rating and
>>>the
>>>anomaly rating through the latter¹s variable-definition e.g. warning,
>>>critical, Š
>>>
>>>Nevertheless, Christian¹s argument ³If we leave some room between the
>>>numbers, we have room to fill them in the future.² favours 0-40.
>>>At least for me, since I like the idea of planning way ahead.
>>>
>>>So, from my point of view, a range of 0-40 would be the favourable
>>>choice. But, it¹s arbitrary nature would require a well-curated
>>>documentation.
>>>
>>>It¹s good to see the community¹s commitment on this and I hope to be of
>>>any help.
>>>
>>>Cheers,
>>>Noël
>>>
>>>> On 08 Feb 2016, at 22:12, Christian Folini
>>>><christian.fol...@netnea.com> wrote:
>>>>
>>>> Thanks Chaim and Lukas!
>>>>
>>>> I got positive feedback via private messages too.
>>>>
>>>> The one question, where I am still unsure (and the
>>>> feedback / criticism is also split) is the question
>>>> of the good integer range for the paranoia level.
>>>> 0-4 or rather 0-40.
>>>>
>>>> Still not sure.
>>>>
>>>> Thoughts on this question are thus very welcome.
>>>>
>>>> Ahoj,
>>>>
>>>> Christian
>>>>
>>>>
>>>> On Mon, Feb 08, 2016 at 02:31:47PM +0000, Chaim Sanders wrote:
>>>>> Good writeup Christian!
>>>>>
>>>>> On 2/8/16, 2:59 AM,
>>>>> "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of
>>>>> Funk, Lukas" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org
>>>>>on
>>>>> behalf of lukas.f...@united-security-providers.ch> wrote:
>>>>>
>>>>>> Hi Christian and all,
>>>>>>
>>>>>> I follow the discussion about the paranoia mode with great
>>>>>>interest. I
>>>>>> think it could be a good starting point for ModSecurity users which
>>>>>>do
>>>>>> not have the expert knowledge of the rules.
>>>>>>
>>>>>> Looking at your proposed structure of the paranoia mode setup, I
>>>>>>think
>>>>>> it's on a good track. The structure is easy to understand!
>>>>>> Unfortunately I can't comment the different rules, as I don't have
>>>>>>much
>>>>>> experience with them.
>>>>>>
>>>>>> Thanks to all of you putting such great effort to the CRS and I'm
>>>>>>really
>>>>>> looking forward to version 3!
>>>>>>
>>>>>> Cheers, Lukas
>>>>>>
>>>>>>
>>>>>>>> Dear all,
>>>>>>>>
>>>>>>>> With the progress we are making on the rules front, it is time to
>>>>>>>>talk
>>>>>>>> about
>>>>>>>> the way it could be implemented.
>>>>>>>> It's time for the show-me-the-code. He you go:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>http://scanmail.trustwave.com/?c=4062&d=tN-41hG4qCjBMKf0XEE90boFBx2
>>>>>>>>3N
>>>>>>>>XMA
>>>>>>>>
>>>>>>>>8kit7zcE9Q&s=5&u=https%3a%2f%2fwww%2enetnea%2ecom%2fcms%2f2016%2f02
>>>>>>>>%2
>>>>>>>>f04
>>>>>>>> %2fowasp-modsecurity-core-rules-
>>>>>>>> paranoia-mode-mechanics-proposal/
>>>>>>>>
>>>>>>>> Feedback welcome!
>>>>>>>>
>>>>>>>> Christian
>>>>>
>>>>>
>>>>> ________________________________
>>>>>
>>>>> This transmission may contain information that is privileged,
>>>>>confidential, and/or exempt from disclosure under applicable law. If
>>>>>you are not the intended recipient, you are hereby notified that any
>>>>>disclosure, copying, distribution, or use of the information contained
>>>>>herein (including any reliance thereon) is strictly prohibited. If you
>>>>>received this transmission in error, please immediately contact the
>>>>>sender and destroy the material in its entirety, whether in electronic
>>>>>or hard copy format.
>>>>> _______________________________________________
>>>>> Owasp-modsecurity-core-rule-set mailing list
>>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>>>>>
>>>>>http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZP
>>>>>Vd
>>>>>MSLLMAERYA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinf
>>>>>o%
>>>>>2fowasp-modsecurity-core-rule-set
>>>>
>>>> --
>>>> mailto:christian.fol...@netnea.com
>>>>
>>>>http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPV
>>>>dM
>>>>SeebAdKbQ&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech
>>>> twitter: @ChrFolini
>>>> _______________________________________________
>>>> Owasp-modsecurity-core-rule-set mailing list
>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>>>>
>>>>http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPV
>>>>dM
>>>>SLLMAERYA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%
>>>>2f
>>>>owasp-modsecurity-core-rule-set
>>>
>>
>>
>> ________________________________
>>
>> This transmission may contain information that is privileged,
>>confidential, and/or exempt from disclosure under applicable law. If you
>>are not the intended recipient, you are hereby notified that any
>>disclosure, copying, distribution, or use of the information contained
>>herein (including any reliance thereon) is strictly prohibited. If you
>>received this transmission in error, please immediately contact the
>>sender and destroy the material in its entirety, whether in electronic
>>or hard copy format.
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>>
>>http://scanmail.trustwave.com/?c=4062&d=qrC51mJ-5yUuJU_THDo8E9rr9Bk2G9RKB
>>N9PIoKQJw&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2f
>>owasp-modsecurity-core-rule-set
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>Owasp-modsecurity-core-rule-set@lists.owasp.org
>http://scanmail.trustwave.com/?c=4062&d=qrC51mJ-5yUuJU_THDo8E9rr9Bk2G9RKBN
>9PIoKQJw&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow
>asp-modsecurity-core-rule-set
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
strictly prohibited. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
