Chaim,
I see you and Walter agreeing on the idea to keep the rule around
in standard mode. I would probably still comment out the default
country list - but that's a different question.
I've removed the rule from the list of paranoia candidates.
Btw: The country list involves China, but the documentation does not
name China (but all the other countried).
Cheers,
Christian
On Mon, Feb 15, 2016 at 04:19:44AM +0000, Chaim Sanders wrote:
> In general I like to assume that if people are going to get caught by
> something blocking unintentionally it will be a configuration from the
> configuration file, as they are supposed to be reading those :-). I
> honestly haven¹t heard many complaints about this feature and as a result
> I¹d probably leave it enabled as it as sad as it is, is fairly effective.
>
> On 2/13/16, 12:30 AM,
> "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of
> Christian Folini" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org
> on behalf of christian.fol...@netnea.com> wrote:
>
> >Hi there,
> >
> >It seems I overlooked this candidate, where Franziska said she is unsure
> >whether we should blog certain countries in a default installation or
> >not.
> >
> >The rule does:
> > SecRule GEO:COUNTRY_CODE "@pm %{tx.high_risk_country_codes}"
> >
> >With tx.high_risk_country_codes being set to
> >"UA ID YU LT EG RO BG TR RU PK MY CN"
> >in modsecurity_crs_10_setup.conf.example.
> >
> >Depending on your location, requests from the given set of
> >countried may be desired and not potential attacks. So I think
> >Franziska has a point.
> >
> >One resolution would be to leave the rule where it is, but comment
> >out the definition of the variable in
> >modsecurity_crs_10_setup.conf.example
> >and provide multiple default variants in the comments.
> >That could also be performed in combination with the move to
> >the paranoia mode.
> >
> >Opinions?
> >
> >Christian
> >
> >
> >--
> >The problem is, if you're not a hacker,
> >you can't tell who the good hackers are.
> >--- Paul Graham
> >_______________________________________________
> >Owasp-modsecurity-core-rule-set mailing list
> >Owasp-modsecurity-core-rule-set@lists.owasp.org
> >http://scanmail.trustwave.com/?c=4062&d=5sS-1i1jGNzLWl4_4Oku6bhM-zSgEVOp-i
> >xlzEmHDg&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow
> >asp-modsecurity-core-rule-set
>
>
> ________________________________
>
> This transmission may contain information that is privileged, confidential,
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is strictly prohibited. If you received this transmission
> in error, please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format.
--
mailto:christian.fol...@netnea.com
http://www.christian-folini.ch
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
