Correct. At the time we created those rules, that was the paper we were referencing. High fraud countries can be flagged globally however this is highly dependent upon the web site’s geo location and their legit user base location.
From: <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of Walter Hop <mod...@spam.lifeforms.nl> Date: Monday, February 15, 2016 at 4:56 PM To: "owasp-modsecurity-core-rule-set@lists.owasp.org" <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Forgotten controversial candidate 900050 / 910100 (Client IP is from a HIGH Risk Country Location) I think the source is an article from 2003, which explains why Yugoslavia is in the list: http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=2A684B6B2B6E99D03F578D3296E05483?doi=10.1.1.198.9996&rep=rep1&type=pdf (Just to correct, I didn’t want to keep the rule enabled by default, but instead I’d rather comment it as an example.) On 15 Feb 2016, at 21:55, iul...@sphere.ro wrote: Dears, I am just wondering on what basis you are considering these countries to be potentially risky? Even if those are risky simply putting these on default will be a mistake. Most people don't read the configuration file or don't fully understand every feature and just stick with the default configuration. If you want advanced protection then you are forced to make changes or even make your own rules. Best regards, Iulian On February 15, 2016 10:17:35 PM GMT+02:00, Christian Folini <christian.fol...@netnea.com> wrote: Chaim, I see you and Walter agreeing on the idea to keep the rule around in standard mode. I would probably still comment out the default country list - but that's a different question. I've removed the rule from the list of paranoia candidates. Btw: The country list involves China, but the documentation does not name China (but all the other countried). Cheers, Christian On Mon, Feb 15, 2016 at 04:19:44AM +0000, Chaim Sanders wrote: In general I like to assume that if people are going to get caught by something blocking unintentionally it will be a configuration from the configuration file, as they are supposed to be reading those :-). I honestly haven¹t heard many complaints about this feature and as a result I¹d probably leave it enabled as it as sad as it is, is fairly effective. On 2/13/16, 12:30 AM, "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of Christian Folini" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org on behalf of christian.fol...@netnea.com> wrote: Hi there, It seems I overlooked this candidate, where Franziska said she is unsure whether we should blog certain countries in a default installation or not. The rule does: SecRule GEO:COUNTRY_CODE "@pm %{tx.high_risk_country_codes}" With tx.high_risk_country_codes being set to "UA ID YU LT EG RO BG TR RU PK MY CN" in modsecurity_crs_10_setup.conf.example. Depending on your location, requests from the given set of countried may be desired and not potential attacks. So I t hink Franziska has a point. One resolution would be to leave the rule where it is, but comment out the definition of the variable in modsecurity_crs_10_setup.conf.example and provide multiple default variants in the comments. That could also be performed in combination with the move to the paranoia mode. Opinions? Christian -- The problem is, if you're not a hacker, you can't tell who the good hackers are. --- Paul Graham Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org http://scanmail.trustwave.com/?c=4062&d=5sS-1i1jGNzLWl4_4Oku6bhM-zSgEVOp-i xlzEmHDg&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow asp-modsecurity-core-rule-set This trans mission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Walter Hop | PGP key: https://lifeforms.nl/pgp _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
