Hello, We have finished the list of rule candidates for our little pet project. I have a working implementation under https://github.com/dune73/owasp-modsecurity-crs/tree/paranoia-mode and I think it is time to sort out the naming question before submitting the first pull request with the basic mechanics. (-> see https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode for an explanation of the 4 pull requests planned)
I started out this project with the idea of an "on/off" setting. Hence the idea of "mode". However, it became clear we are going to work with a "level" ranging from 0-4 instead. So the idea of "mode" no longer really applies. We need to find something better. But of course, the core question is, if this should be called paranoia, paranoid, strict or agressive or something else. I opted for paranoia from the start and I still think it is the right term. However, there has been opposition and we need to find a solution everybody can agree with. I also think this is an important discussion, as it is a non-technical discussion. So everybody can chime in without being an expert and without running lengthy tests in his lab. Let me open the discussion with my reasoning why "paranoia" is the right term. I will then continue to discuss the other options and then you can respond and tell me why I am wrong and why the other options are much better suited.... "Paranoia" is the new normal. The more the attacks evolve and the more servers we configure, the more we realise, there is no real security without being paranoid. So while paranoia used to be a negative term, it is getting a more and more positive connotation; especially in IT security. Google the terms paranoid information security and you will get 2M hits. One of the top ones is http://www.darkreading.com/operations/the-perfect-infosec-mindset-paranoia-+-skepticism/a/d-id/1297596 where the author says paranoia is the standard mindset now (hence paranoia mode) and that you need to pair this with skepticism (in other words: the tuning of your ruleset). Other hits include the following titles: 13 Security and Privacy Tips for the Truly Paranoid Security for the Paranoid - SecurityFocus I became paranoid with computer security issues, I always ... The paranoid CISO | CSO Online Computer-Security Paranoia openssl - How paranoid should the average user be about ... Looking through some of these hits, I get the felling that those who really care about security acknowledge that they are paranoid and that they think that is the right attitude. I also remember reading about paranoid security settings 10-20 years ago and I would skip them immediately. Now, when looking at a new software or product, the term paranoia immediately catches my eye and I read about the most paranoid options first and then decide if the product is any good. Without paranoia options, I think it must be a happy sunshine hippy thing. Additionally, the term "PARANOID_MODE" is already there, even if it has not been in wide use in the 2.2.X series of rules: 2.2.X> grep -r -i paranoi | wc -l 9 The Merriam-Wester dictionary has multiple definitions for paranoia. One of them is: "a tendency on the part of an individual or group toward excessive or irrational suspiciousness and distrustfulness of others" I think the adjectives "excessive", "irrational" "distrustful" characterise our new functionality very well: When raising the level, you are enabling additional rules, which will cause an excessive number of false positives due to a general distrustful attitude towards user submitted input. Ideally, two years down the line, ModSecurity (Core Rules) discussion will run like this: "Man, I should install ModSecurity and the Core Rules on my server, but I heard false positives are going to kill me." "No worries, as long as you keep the paranoia setting low, false positives are minimal." Two weeks ago, the register ran a story about Rob Joyce, head of NSA's Tailored Access Operations: http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions/ The article closed with the register quoting Joyce: "At the end of the day it all boils down to knowing your network, he said, and it’s vital that IT administrators pick up their game and get paranoid about attacks." Well said. And the core rules paranoia feature is going to help with this in a controlled way without killing you with false positives on the first day of the installation. But let's look at the alternatives: "Strict" has been named as a better term. I do not like strict. It implies that the standard installation is not strict. Or that the default rules were not strict. In fact they are very strict. Every single one of them. It's just that they are more focused on less delicate aspects of the requests. So I think the term does not work as it misleads the user into making the wrong assumptions. You could say that running the CRS in anomaly scoring mode and setting a threshold of >5 is un-strict. But the individual rules are all strict from my point of view. This is even more true, as we have Ryan Barnett's proposal to use "aggressive". I think aggressive trumps strict as it sounds more like a gradual setting in my ears (both terms exist in German as well, so maybe these are false friends for me and their meaning is a wee bit different in English). So this the new featureset would allow us to adjust how aggressive the core rule set is. That does not sound too bad. It reminds me of a "teeth metaphor" is use at times. A strong ruleset has strong teeth. By tuning false positives, you pull a few of the teeth while keeping most of them in place. The level of aggression adjusting with this new setting, would thus add more teeth and the ruleset would thus become more aggressive. I guess it's not overly wrong to think of piranhas in a pond. The root of the term comes with the idea of active defense. It lets me thing of a strike back. Look up the term aggressive on The Merriam Webster dictionary. All the definitions point in that direction: http://www.merriam-webster.com/dictionary/aggressive Aggressive always means that you not only defend, but you attack as well. (paranoia is entirely different in this regard. It does not imply any counter strike) So I think aggressive does not entirely meet the character of the new functionality, which is in line with the rest of the core rules set in being entirely defensive. It just block attacks. It absolutely does not attempt to shut down the client, inject malware into the response or launch a DoS attack against the source IP address (which would all be possible with the right set of rules). And what would be the complete term? Level of Aggression or Level of Aggressiveness, Aggressiveness Setting? That all springs to mind. And that just does not sounds very cool in my ears. Or outrightly negative ("Level of Aggression!"). So all in all, I think we should work with paranoia. It's the best I can think of right now. And I thought about this a lot. But now let me hear what you think about it! Please do not take too long. My first pull request is almost ready, so let's come to a resolution in the next few days. Best regards, Christian -- Any technology that does not appear magical is insufficiently advanced. -- Gregory Benford _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
