I agree nice to see that many people sharing ; ) On my side I propose to name the mode of operation 'strict' instead of 'paranoid'.
Regards, Manuel Envoyé de mon Galaxy S5 4G+ Orange -------- Original message -------- From: Ryan Barnett <ryan.barn...@owasp.org> Date: 16/02/2016 00:29 (GMT+01:00) To: Christian Folini <christian.fol...@netnea.com>, Chaim Sanders <csand...@trustwave.com> Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Forgotten controversial candidate 900050 / 910100 (Client IP is from a HIGH Risk Country Location) A couple comments - 1. I am ecstatic to see all of the community feedback and participation. This is how I always envisioned it working. ModSecurity, and the OWASP CRS. Are community projects. They will live/die by community involvement. 2. I regards to these settings – it is purely semantics but I would recommend s/paranoid/aggressive/g. The former has a negative connotation to it while the later seems more even handed. The point is that these rule can provide some level of value however it is at the expense of False Positives. -Ryan From: <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>> on behalf of Christian Folini <christian.fol...@netnea.com<mailto:christian.fol...@netnea.com>> Date: Monday, February 15, 2016 at 3:17 PM To: Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Forgotten controversial candidate 900050 / 910100 (Client IP is from a HIGH Risk Country Location) Chaim, I see you and Walter agreeing on the idea to keep the rule around in standard mode. I would probably still comment out the default country list - but that's a different question. I've removed the rule from the list of paranoia candidates. Btw: The country list involves China, but the documentation does not name China (but all the other countried). Cheers, Christian On Mon, Feb 15, 2016 at 04:19:44AM +0000, Chaim Sanders wrote: In general I like to assume that if people are going to get caught by something blocking unintentionally it will be a configuration from the configuration file, as they are supposed to be reading those :-). I honestly haven¹t heard many complaints about this feature and as a result I¹d probably leave it enabled as it as sad as it is, is fairly effective. On 2/13/16, 12:30 AM, "owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of Christian Folini" <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> on behalf of christian.fol...@netnea.com<mailto:christian.fol...@netnea.com>> wrote: >Hi there, > >It seems I overlooked this candidate, where Franziska said she is unsure >whether we should blog certain countries in a default installation or >not. > >The rule does: > SecRule GEO:COUNTRY_CODE "@pm %{tx.high_risk_country_codes}" > >With tx.high_risk_country_codes being set to >"UA ID YU LT EG RO BG TR RU PK MY CN" >in modsecurity_crs_10_setup.conf.example. > >Depending on your location, requests from the given set of >countried may be desired and not potential attacks. So I think >Franziska has a point. > >One resolution would be to leave the rule where it is, but comment >out the definition of the variable in >modsecurity_crs_10_setup.conf.example >and provide multiple default variants in the comments. >That could also be performed in combination with the move to >the paranoia mode. > >Opinions? > >Christian > > >-- >The problem is, if you're not a hacker, >you can't tell who the good hackers are. >--- Paul Graham >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> >http://scanmail.trustwave.com/?c=4062&d=5sS-1i1jGNzLWl4_4Oku6bhM-zSgEVOp-i >xlzEmHDg&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow >asp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
