On 13 Feb 2016, at 06:30, Christian Folini <christian.fol...@netnea.com> wrote:
> It seems I overlooked this candidate, where Franziska said she is unsure
> whether we should blog certain countries in a default installation or
> not.
>
> The rule does:
> SecRule GEO:COUNTRY_CODE "@pm %{tx.high_risk_country_codes}"
>
> With tx.high_risk_country_codes being set to
> "UA ID YU LT EG RO BG TR RU PK MY CN"
> in modsecurity_crs_10_setup.conf.example.
>
> Depending on your location, requests from the given set of
> countried may be desired and not potential attacks. So I think
> Franziska has a point.
>
> One resolution would be to leave the rule where it is, but comment
> out the definition of the variable in modsecurity_crs_10_setup.conf.example
> and provide multiple default variants in the comments.
> That could also be performed in combination with the move to
> the paranoia mode.
>
> Opinions?
I agree fully. We shouldn’t make this decision for everyone. I have to admit
that I see some listed countries relatively often in bad traffic, but that’s
selection bias - in a western european country I won’t see as much business
with them, but there are billions of people for who this is compltely normal.
The rule is only at anomaly level. People don’t always seem to understand that
though: https://forums.cpanel.net/threads/owasp-900022.452822/
Maybe the comment could be clarified a bit more as to the actual impact.
I don’t know what the performance impact or behavior of the rule is when
tx.high_risk_country_codes is empty. If that’s not a problem, we can just
comment it out. Otherwise it might be useful to first check if
tx.high_risk_country_codes is nonempty in the rule.
Also, Yugoslavia hasn’t existed for a very long time now. :)
--
Walter Hop | PGP key: https://lifeforms.nl/pgp
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
