Walter, Thanks for the further testing.
On Sat, Feb 13, 2016 at 08:54:23PM +0100, Walter Hop wrote: > To try to get some test data, I enabled the rule again on some staging & > internal sites to make it critical again. The experience was pretty horrible. > There was a lot of breakage, colleagues complaining that I am wasting their > time with 403 errors, and now I remember why I had edited this rule... :) As > I could have expected, apps that broke were basically anything where a URL is > passed. Really interesting. Our environments are so different. I really see very few FPs here. But it's not the same type of software running on the servers. > This is just from a few days of people getting 403s. So after this > experiment, I’m tending towards saying, this is the type of rule that makes > the CRS scary to use, even if the rule is effective against RFI. > > Of course if the default paranoia level is nonzero and it stays at that > level, we have sorta CRSv2 parity and still a good way to get out of these FP. I am not sure I understand your last sentence correctly. If we have most rules at paranoia level 1 and default is paranoia level 1. Should this rule be a 1 with additional whitelisting of FPs, or should we assign it a paranoia level of 2? I'm OK with both options. Ahoj, Christian -- The reasonable man adapts himself to the world; the unreasonable man persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man. -- George Bernard Shaw _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
