Glad seeing your openness towards this, Chaim. In the end, to me, it seems to be a usability-functionality trade-off. The degree of complexity added by some additional space should not amount for the potential functionality.
And, you never know what the future holds ;) > On 09 Feb 2016, at 16:42, Chaim Sanders <csand...@trustwave.com> wrote: > > Well it seems like everyone likes this out of 40 scale and honestly I’m > not opposed :). > > On 2/9/16, 3:58 AM, > "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > <mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of > Franziska Buehler" > <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > <mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of > franziska.buehler.schmoc...@gmail.com > <mailto:franziska.buehler.schmoc...@gmail.com>> wrote: > >> Dear Christian, >> Dear all, >> >> Very clear and reasoned writing! >> I see a benefit to choose the numbering of the paranoia level between 0 >> and 40. >> It’s distinguishable from the anomaly scoring and does not lead to >> misunderstanding. >> Default set to 10 sounds good for me. >> But I also see Chaim’s point not to leave that space. >> >> Another question: >> If we clone rules to stricter siblings, we’ll produce a lot of log >> entries. >> Requests with more than 5 special characters and a paranoia level of >> 40 will create three distinct log-entries in turn. >> Is that the behavior that we want? >> Maybe we have to write the siblings in a way that only one rule >> matches, even at a high paranoia level? >> Example: SecRule ARGS_NAMES|ARGS|XML:/* >> "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){3,4}" >> \ >> >> Regards, >> Franziska >> >> 2016-02-09 5:53 GMT+01:00 Chaim Sanders <csand...@trustwave.com>: >>> Thanks Noel! >>> I will say @Christian that every time we leave space we never end up >>> using >>> the space we leave I¹d vote for just 0-4, but it is just one mans >>> opinion. >>> >>> On 2/8/16, 11:20 PM, >>> "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of >>> Noël >>> Zindel" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on >>> behalf >>> of m...@noelzindel.org> wrote: >>> >>>> Hi everyone, >>>> >>>> let me chime in on this. >>>> >>>> From a newbie perspective, I¹d argue, the 0-4 definition would make >>> sense >>>> since it would be a logical choice. >>>> You should be able to easily distinct between the paranoia rating and >>>> the >>>> anomaly rating through the latter¹s variable-definition e.g. warning, >>>> critical, Š >>>> >>>> Nevertheless, Christian¹s argument ³If we leave some room between the >>>> numbers, we have room to fill them in the future.² favours 0-40. >>>> At least for me, since I like the idea of planning way ahead. >>>> >>>> So, from my point of view, a range of 0-40 would be the favourable >>>> choice. But, it¹s arbitrary nature would require a well-curated >>>> documentation. >>>> >>>> It¹s good to see the community¹s commitment on this and I hope to be of >>>> any help. >>>> >>>> Cheers, >>>> Noël >>>> >>>>> On 08 Feb 2016, at 22:12, Christian Folini >>>>> <christian.fol...@netnea.com> wrote: >>>>> >>>>> Thanks Chaim and Lukas! >>>>> >>>>> I got positive feedback via private messages too. >>>>> >>>>> The one question, where I am still unsure (and the >>>>> feedback / criticism is also split) is the question >>>>> of the good integer range for the paranoia level. >>>>> 0-4 or rather 0-40. >>>>> >>>>> Still not sure. >>>>> >>>>> Thoughts on this question are thus very welcome. >>>>> >>>>> Ahoj, >>>>> >>>>> Christian >>>>> >>>>> >>>>> On Mon, Feb 08, 2016 at 02:31:47PM +0000, Chaim Sanders wrote: >>>>>> Good writeup Christian! >>>>>> >>>>>> On 2/8/16, 2:59 AM, >>>>>> "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of >>>>>> Funk, Lukas" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org >>>>>> on >>>>>> behalf of lukas.f...@united-security-providers.ch> wrote: >>>>>> >>>>>>> Hi Christian and all, >>>>>>> >>>>>>> I follow the discussion about the paranoia mode with great >>>>>>> interest. I >>>>>>> think it could be a good starting point for ModSecurity users which >>>>>>> do >>>>>>> not have the expert knowledge of the rules. >>>>>>> >>>>>>> Looking at your proposed structure of the paranoia mode setup, I >>>>>>> think >>>>>>> it's on a good track. The structure is easy to understand! >>>>>>> Unfortunately I can't comment the different rules, as I don't have >>>>>>> much >>>>>>> experience with them. >>>>>>> >>>>>>> Thanks to all of you putting such great effort to the CRS and I'm >>>>>>> really >>>>>>> looking forward to version 3! >>>>>>> >>>>>>> Cheers, Lukas >>>>>>> >>>>>>> >>>>>>>>> Dear all, >>>>>>>>> >>>>>>>>> With the progress we are making on the rules front, it is time to >>>>>>>>> talk >>>>>>>>> about >>>>>>>>> the way it could be implemented. >>>>>>>>> It's time for the show-me-the-code. He you go: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> http://scanmail.trustwave.com/?c=4062&d=tN-41hG4qCjBMKf0XEE90boFBx2 >>>>>>>>> 3N >>>>>>>>> XMA >>>>>>>>> >>>>>>>>> 8kit7zcE9Q&s=5&u=https%3a%2f%2fwww%2enetnea%2ecom%2fcms%2f2016%2f02 >>>>>>>>> %2 >>>>>>>>> f04 >>>>>>>>> %2fowasp-modsecurity-core-rules- >>>>>>>>> paranoia-mode-mechanics-proposal/ >>>>>>>>> >>>>>>>>> Feedback welcome! >>>>>>>>> >>>>>>>>> Christian >>>>>> >>>>>> >>>>>> ________________________________ >>>>>> >>>>>> This transmission may contain information that is privileged, >>>>>> confidential, and/or exempt from disclosure under applicable law. If >>>>>> you are not the intended recipient, you are hereby notified that any >>>>>> disclosure, copying, distribution, or use of the information contained >>>>>> herein (including any reliance thereon) is strictly prohibited. If you >>>>>> received this transmission in error, please immediately contact the >>>>>> sender and destroy the material in its entirety, whether in electronic >>>>>> or hard copy format. >>>>>> _______________________________________________ >>>>>> Owasp-modsecurity-core-rule-set mailing list >>>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>>>>> >>>>>> http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZP >>>>>> Vd >>>>>> MSLLMAERYA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinf >>>>>> o% >>>>>> 2fowasp-modsecurity-core-rule-set >>>>> >>>>> -- >>>>> mailto:christian.fol...@netnea.com >>>>> >>>>> http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPV >>>>> dM >>>>> SeebAdKbQ&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech >>>>> twitter: @ChrFolini >>>>> _______________________________________________ >>>>> Owasp-modsecurity-core-rule-set mailing list >>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>>>> >>>>> http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPV >>>>> dM >>>>> SLLMAERYA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo% >>>>> 2f >>>>> owasp-modsecurity-core-rule-set >>>> >>> >>> >>> ________________________________ >>> >>> This transmission may contain information that is privileged, >>> confidential, and/or exempt from disclosure under applicable law. If you >>> are not the intended recipient, you are hereby notified that any >>> disclosure, copying, distribution, or use of the information contained >>> herein (including any reliance thereon) is strictly prohibited. If you >>> received this transmission in error, please immediately contact the >>> sender and destroy the material in its entirety, whether in electronic >>> or hard copy format. >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>> >>> http://scanmail.trustwave.com/?c=4062&d=qrC51mJ-5yUuJU_THDo8E9rr9Bk2G9RKB >>> <http://scanmail.trustwave.com/?c=4062&d=qrC51mJ-5yUuJU_THDo8E9rr9Bk2G9RKB> >>> N9PIoKQJw&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2f >>> owasp-modsecurity-core-rule-set >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> <mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> >> http://scanmail.trustwave.com/?c=4062&d=qrC51mJ-5yUuJU_THDo8E9rr9Bk2G9RKBN >> <http://scanmail.trustwave.com/?c=4062&d=qrC51mJ-5yUuJU_THDo8E9rr9Bk2G9RKBN> >> 9PIoKQJw&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow >> asp-modsecurity-core-rule-set > > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > <mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > <https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
