Yep, that’s my thinking – also the it is best to let the community decide what they need ☺ I am but one member of that community. Thank you for your two cents Noel and please, keep committing, without help from people like you it is very hard to decide on features like this!
From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Noël Zindel Sent: Tuesday, February 09, 2016 12:16 PM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Mechanics Proposal Glad seeing your openness towards this, Chaim. In the end, to me, it seems to be a usability-functionality trade-off. The degree of complexity added by some additional space should not amount for the potential functionality. And, you never know what the future holds ;) On 09 Feb 2016, at 16:42, Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> wrote: Well it seems like everyone likes this out of 40 scale and honestly I’m not opposed :). On 2/9/16, 3:58 AM, "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of Franziska Buehler" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of franziska.buehler.schmoc...@gmail.com<mailto:franziska.buehler.schmoc...@gmail.com>> wrote: Dear Christian, Dear all, Very clear and reasoned writing! I see a benefit to choose the numbering of the paranoia level between 0 and 40. It’s distinguishable from the anomaly scoring and does not lead to misunderstanding. Default set to 10 sounds good for me. But I also see Chaim’s point not to leave that space. Another question: If we clone rules to stricter siblings, we’ll produce a lot of log entries. Requests with more than 5 special characters and a paranoia level of 40 will create three distinct log-entries in turn. Is that the behavior that we want? Maybe we have to write the siblings in a way that only one rule matches, even at a high paranoia level? Example: SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){3,4}" \ Regards, Franziska 2016-02-09 5:53 GMT+01:00 Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>>: Thanks Noel! I will say @Christian that every time we leave space we never end up using the space we leave I¹d vote for just 0-4, but it is just one mans opinion. On 2/8/16, 11:20 PM, "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of Noël Zindel" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of m...@noelzindel.org<mailto:m...@noelzindel.org>> wrote: Hi everyone, let me chime in on this. From a newbie perspective, I¹d argue, the 0-4 definition would make sense since it would be a logical choice. You should be able to easily distinct between the paranoia rating and the anomaly rating through the latter¹s variable-definition e.g. warning, critical, Š Nevertheless, Christian¹s argument ³If we leave some room between the numbers, we have room to fill them in the future.² favours 0-40. At least for me, since I like the idea of planning way ahead. So, from my point of view, a range of 0-40 would be the favourable choice. But, it¹s arbitrary nature would require a well-curated documentation. It¹s good to see the community¹s commitment on this and I hope to be of any help. Cheers, Noël On 08 Feb 2016, at 22:12, Christian Folini <christian.fol...@netnea.com<mailto:christian.fol...@netnea.com>> wrote: Thanks Chaim and Lukas! I got positive feedback via private messages too. The one question, where I am still unsure (and the feedback / criticism is also split) is the question of the good integer range for the paranoia level. 0-4 or rather 0-40. Still not sure. Thoughts on this question are thus very welcome. Ahoj, Christian On Mon, Feb 08, 2016 at 02:31:47PM +0000, Chaim Sanders wrote: Good writeup Christian! On 2/8/16, 2:59 AM, "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of Funk, Lukas" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of lukas.f...@united-security-providers.ch<mailto:lukas.f...@united-security-providers.ch>> wrote: Hi Christian and all, I follow the discussion about the paranoia mode with great interest. I think it could be a good starting point for ModSecurity users which do not have the expert knowledge of the rules. Looking at your proposed structure of the paranoia mode setup, I think it's on a good track. The structure is easy to understand! Unfortunately I can't comment the different rules, as I don't have much experience with them. Thanks to all of you putting such great effort to the CRS and I'm really looking forward to version 3! Cheers, Lukas Dear all, With the progress we are making on the rules front, it is time to talk about the way it could be implemented. It's time for the show-me-the-code. He you go: http://scanmail.trustwave.com/?c=4062&d=tN-41hG4qCjBMKf0XEE90boFBx2 3N XMA 8kit7zcE9Q&s=5&u=https%3a%2f%2fwww%2enetnea%2ecom%2fcms%2f2016%2f02 %2 f04 %2fowasp-modsecurity-core-rules- paranoia-mode-mechanics-proposal/ Feedback welcome! Christian ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZP<http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZP> Vd MSLLMAERYA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinf o% 2fowasp-modsecurity-core-rule-set -- mailto:christian.fol...@netnea.com http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPV<http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPV> dM SeebAdKbQ&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPV<http://scanmail.trustwave.com/?c=4062&d=kvC51uiCoFG6D9Z7NWTJ-HkiUDGrZPV> dM SLLMAERYA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo% 2f owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> http://scanmail.trustwave.com/?c=4062&d=qrC51mJ-5yUuJU_THDo8E9rr9Bk2G9RKB N9PIoKQJw&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2f owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> http://scanmail.trustwave.com/?c=4062&d=qrC51mJ-5yUuJU_THDo8E9rr9Bk2G9RKBN 9PIoKQJw&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow asp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<http://scanmail.trustwave.com/?c=4062&d=jaS61jeNMoShishPyBRpfuKLmpFQianyp_z-urJb1Q&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
