Hello again, On Tue, Feb 09, 2016 at 10:29:54PM +0100, Walter Hop wrote: > Well, such a tuning was just one proposal to reduce FP for non-paranoid users > so it might tip the balance in favor of keeping the rule in base. (Moving it > to paranoid is just one possible way to change the FP / protection balance)
That makes a lot of sense. I was not aware of this reasoning behind your previous message. Thanks for making this clear. > I’m not 100% sure we should go very far with whitelistings in the default > set. But there is some precedent (excluding Google Analytics cookies, > formerly also Piwik I think). The CRS does carve little holes sometimes in > order to deal with reality of the current web and still be strict on the rest > (while commercial WAFs are necessarily much less strict on this, since it > causes them too many support calls). Exactly. > I would hate to see the rule totally disappear from base just on my one FP > note though. Maybe more people can check their audit logs for the rule since > it’s in CRSv2 too. It does rule out a lot of exploits on legacy / in house > PHP apps and attackers try it daily. So it’s a hard call... Let's keep it in the base / on the default paranoia level then. Adding the whitelisting you proposed does little harm and is in line with the UUID whitelisting Noël has developed for 981173 (lately moved to https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173) Cheers, Christian -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
