Hi there, This is just to let you know that I think we settled this discussion with the resolution to keep it in the set of base rules / on the default paranoia level.
Walter suggested a set of whitelistings for the rule to avoid false positives. These should be added, but this will be outside of the paranoia mode pull request. Cheers, Christian On Wed, Feb 10, 2016 at 07:36:10AM +0100, Christian Folini wrote: > Hello again, > > On Tue, Feb 09, 2016 at 10:29:54PM +0100, Walter Hop wrote: > > Well, such a tuning was just one proposal to reduce FP for non-paranoid > > users so it might tip the balance in favor of keeping the rule in base. > > (Moving it to paranoid is just one possible way to change the FP / > > protection balance) > > That makes a lot of sense. I was not aware of this reasoning behind your > previous message. Thanks for making this clear. > > > I’m not 100% sure we should go very far with whitelistings in the default > > set. But there is some precedent (excluding Google Analytics cookies, > > formerly also Piwik I think). The CRS does carve little holes sometimes in > > order to deal with reality of the current web and still be strict on the > > rest (while commercial WAFs are necessarily much less strict on this, since > > it causes them too many support calls). > > Exactly. > > > I would hate to see the rule totally disappear from base just on my one FP > > note though. Maybe more people can check their audit logs for the rule > > since it’s in CRSv2 too. It does rule out a lot of exploits on legacy / in > > house PHP apps and attackers try it daily. So it’s a hard call... > > Let's keep it in the base / on the default paranoia level then. Adding the > whitelisting you > proposed does little harm and is in line with the UUID whitelisting Noël has > developed > for 981173 (lately moved to > https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173) > > Cheers, > > Christian > > -- > mailto:christian.fol...@netnea.com > http://www.christian-folini.ch > twitter: @ChrFolini > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
