I agree, keeping that many different levels will be complex to maintain and difficult to understand, the idea of a table to see the difference looks good to me.
Regards, Manuel From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Walter Hop Sent: mardi 9 février 2016 21:06 To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Mechanics Proposal It’s a bit of a bikeshed subject, but I think a few levels is better. I think it would be a tricky future if we'd have to say things like: “hmmm, this rule is too heavy for 10 but too light for 15, let’s put it at 13”. How would a novice user ever guess the effects? Most people will pick one number and then troubleshoot. We are brainstorming a lot about rules and parameters but we don’t have consensus on definitions first. If we have an integer scale with so many levels it might be very hard to describe what happens at a level. If we have just a few levels, we can provide definitions. What about this: paranoia level 0: we try blocking definite attacks with small chance of false positives (default) paranoia level 1: we will be strict about protocol anomalies, this might cause some special clients like loadbalancers and scanners to cause false positives paranoia level 2: we will start blocking on suspicious heuristics which aren’t indicative of a certain attack but can be suspicious (e.g. use of MANY special characters; low-value PHP keywords and OS commands) paranoia level 3: the CRS will apply stricter heuristics (e.g. use of SOME special characters) paranoia level 4: the CRS will be the most strict Then, we could easily document and maintain our paranoia decisions. We could make a table like this, so sysadmins know exactly what is happening: ruleId 0 1 2 3 4 what would trigger? 920300 allowed warning warning block block no Accept header 920350 allowed warning warning block block Host is IP4 address 931130 allowed allowed block block block /?url=http://example.com 9123456 allowed allowed block on 40 chars block on 10 chars block on 1 char /?id=%00blah This clarity is something you lose if you can go to 40 levels. Cheers, WH On 08 Feb 2016, at 22:12, Christian Folini <christian.fol...@netnea.com<mailto:christian.fol...@netnea.com>> wrote: Thanks Chaim and Lukas! I got positive feedback via private messages too. The one question, where I am still unsure (and the feedback / criticism is also split) is the question of the good integer range for the paranoia level. 0-4 or rather 0-40. Still not sure. Thoughts on this question are thus very welcome. Ahoj, Christian On Mon, Feb 08, 2016 at 02:31:47PM +0000, Chaim Sanders wrote: Good writeup Christian! On 2/8/16, 2:59 AM, "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of Funk, Lukas" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of lukas.f...@united-security-providers.ch<mailto:lukas.f...@united-security-providers.ch>> wrote: Hi Christian and all, I follow the discussion about the paranoia mode with great interest. I think it could be a good starting point for ModSecurity users which do not have the expert knowledge of the rules. Looking at your proposed structure of the paranoia mode setup, I think it's on a good track. The structure is easy to understand! Unfortunately I can't comment the different rules, as I don't have much experience with them. Thanks to all of you putting such great effort to the CRS and I'm really looking forward to version 3! Cheers, Lukas Dear all, With the progress we are making on the rules front, it is time to talk about the way it could be implemented. It's time for the show-me-the-code. He you go: http://scanmail.trustwave.com/?c=4062&d=tN-41hG4qCjBMKf0XEE90boFBx23NXMA 8kit7zcE9Q&s=5&u=https%3a%2f%2fwww%2enetnea%2ecom%2fcms%2f2016%2f02%2f04 %2fowasp-modsecurity-core-rules- paranoia-mode-mechanics-proposal/ Feedback welcome! Christian ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Walter Hop | PGP key: https://lifeforms.nl/pgp ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
