Hi, I think the term like "paranoia level" would fit its purpose. The arguments brought in from Christian are well put together and in my opinion we all got used to this name already a bit...
The only thing to keep an eye on is to clean up all the traces of the old paranoid mode! Cheers, Lukas > -----Ursprüngliche Nachricht----- > Von: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] Im > Auftrag von Leos Rivas Manuel > Gesendet: Samstag, 20. Februar 2016 10:37 > An: Christian Folini <christian.fol...@netnea.com>; owasp-modsecurity-core- > rule-...@lists.owasp.org > Betreff: Re: [Owasp-modsecurity-core-rule-set] The paranoia mode naming > question > > I like paranoia, who's not these days? Or do you trust developer's secure > coding style??? > > -----Original Message----- > From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On > Behalf Of Christian Folini > Sent: samedi 20 février 2016 06:46 > To: owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: Re: [Owasp-modsecurity-core-rule-set] The paranoia mode naming > question > > Hello Walter, > > Thank you for you heads up. You are probably right about the length of the > message. I wanted to put as many arguments on the table as possible. But > now I fear I have silenced the opposition. > > Hopefully, Manuel and Chaim find time for a message sooner or later. > > Ahoj, > > Christian > > On Fri, Feb 19, 2016 at 08:30:27PM +0100, Walter Hop wrote: > > Hi Christian, > > > > You make some very good points! Meanwhile there seems to be a > correlation between the length of a mailinglist post and the number of > replies ;) I’m not too bothered with the name, I originally offered “strict” > but > I can live perfectly with paranoia! > > > > Cheers, > > WH > > > > > On 18 Feb 2016, at 13:13, Christian Folini <christian.fol...@netnea.com> > wrote: > > > > > > Hello, > > > > > > We have finished the list of rule candidates for our little pet > > > project. I have a working implementation under > > > https://github.com/dune73/owasp-modsecurity-crs/tree/paranoia- > mode > > > and I think it is time to sort out the naming question before > > > submitting the first pull request with the basic mechanics. > > > (-> see > > > > https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode > > > for an explanation of the 4 pull requests planned) > > > > > > I started out this project with the idea of an "on/off" setting. > > > Hence the idea of "mode". However, it became clear we are going to > > > work with a "level" ranging from 0-4 instead. So the idea of "mode" > > > no longer really applies. We need to find something better. > > > > > > But of course, the core question is, if this should be called > > > paranoia, paranoid, strict or agressive or something else. > > > > > > I opted for paranoia from the start and I still think it is the > > > right term. However, there has been opposition and we need to find a > > > solution everybody can agree with. I also think this is an important > > > discussion, as it is a non-technical discussion. So everybody can > > > chime in without being an expert and without running lengthy tests > > > in his lab. > > > > > > Let me open the discussion with my reasoning why "paranoia" is the > > > right term. I will then continue to discuss the other options and > > > then you can respond and tell me why I am wrong and why the other > > > options are much better suited.... > > > > > > "Paranoia" is the new normal. The more the attacks evolve and the > > > more servers we configure, the more we realise, there is no real > > > security without being paranoid. So while paranoia used to be a > > > negative term, it is getting a more and more positive connotation; > > > especially in IT security. > > > Google the terms > > > paranoid information security > > > and you will get 2M hits. One of the top ones is > > > http://www.darkreading.com/operations/the-perfect-infosec-mindset- > pa > > > ranoia-+-skepticism/a/d-id/1297596 > > > where the author says paranoia is the standard mindset now (hence > > > paranoia mode) and that you need to pair this with skepticism (in > > > other words: the tuning of your ruleset). > > > > > > Other hits include the following titles: > > > 13 Security and Privacy Tips for the Truly Paranoid Security for the > > > Paranoid - SecurityFocus I became paranoid with computer security > > > issues, I always ... > > > The paranoid CISO | CSO Online > > > Computer-Security Paranoia > > > openssl - How paranoid should the average user be about ... > > > > > > Looking through some of these hits, I get the felling that those who > > > really care about security acknowledge that they are paranoid and > > > that they think that is the right attitude. > > > > > > I also remember reading about paranoid security settings 10-20 years > > > ago and I would skip them immediately. Now, when looking at a new > > > software or product, the term paranoia immediately catches my eye > > > and I read about the most paranoid options first and then decide if > > > the product is any good. Without paranoia options, I think it must > > > be a happy sunshine hippy thing. > > > > > > Additionally, the term "PARANOID_MODE" is already there, even if it > > > has not been in wide use in the 2.2.X series of rules: > > > > > > 2.2.X> grep -r -i paranoi | wc -l > > > 9 > > > > > > The Merriam-Wester dictionary has multiple definitions for paranoia. > > > One of them is: > > > "a tendency on the part of an individual or group toward excessive > > > or irrational suspiciousness and distrustfulness of others" > > > > > > I think the adjectives "excessive", "irrational" "distrustful" > > > characterise our new functionality very well: When raising the > > > level, you are enabling additional rules, which will cause an > > > excessive number of false positives due to a general distrustful > > > attitude towards user submitted input. > > > > > > Ideally, two years down the line, ModSecurity (Core Rules) > > > discussion will run like this: > > > "Man, I should install ModSecurity and the Core Rules on my server, > > > but I heard false positives are going to kill me." > > > "No worries, as long as you keep the paranoia setting low, false > > > positives are minimal." > > > > > > Two weeks ago, the register ran a story about Rob Joyce, head of > > > NSA's Tailored Access Operations: > > > > http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explai > > > ns_how_to_protect_your_network_from_his_minions/ > > > The article closed with the register quoting Joyce: > > > "At the end of the day it all boils down to knowing your network, he > > > said, and it’s vital that IT administrators pick up their game and > > > get paranoid about attacks." > > > > > > Well said. And the core rules paranoia feature is going to help with > > > this in a controlled way without killing you with false positives on > > > the first day of the installation. > > > > > > But let's look at the alternatives: "Strict" has been named as a > > > better term. I do not like strict. It implies that the standard > > > installation is not strict. Or that the default rules were not > > > strict. In fact they are very strict. Every single one of them. > > > It's just that they are more focused on less delicate aspects of the > > > requests. > > > > > > So I think the term does not work as it misleads the user into > > > making the wrong assumptions. You could say that running the CRS in > > > anomaly scoring mode and setting a threshold of >5 is un-strict. But > > > the individual rules are all strict from my point of view. > > > > > > This is even more true, as we have Ryan Barnett's proposal to use > > > "aggressive". I think aggressive trumps strict as it sounds more > > > like a gradual setting in my ears (both terms exist in German as > > > well, so maybe these are false friends for me and their meaning is a > > > wee bit different in English). > > > > > > So this the new featureset would allow us to adjust how aggressive > > > the core rule set is. That does not sound too bad. It reminds me of > > > a "teeth metaphor" is use at times. A strong ruleset has strong > > > teeth. By tuning false positives, you pull a few of the teeth while > > > keeping most of them in place. The level of aggression adjusting > > > with this new setting, would thus add more teeth and the ruleset > > > would thus become more aggressive. I guess it's not overly wrong to > think of piranhas in a pond. > > > > > > The root of the term comes with the idea of active defense. > > > It lets me thing of a strike back. Look up the term aggressive on > > > The Merriam Webster dictionary. All the definitions point in that > > > direction: > > > http://www.merriam-webster.com/dictionary/aggressive > > > Aggressive always means that you not only defend, but you attack as > > > well. > > > > > > (paranoia is entirely different in this regard. It does not imply > > > any counter strike) > > > > > > So I think aggressive does not entirely meet the character of the > > > new functionality, which is in line with the rest of the core rules > > > set in being entirely defensive. It just block attacks. It > > > absolutely does not attempt to shut down the client, inject malware > > > into the response or launch a DoS attack against the source IP > > > address (which would all be possible with the right set of rules). > > > > > > And what would be the complete term? Level of Aggression or Level of > > > Aggressiveness, Aggressiveness Setting? That all springs to mind. > > > And that just does not sounds very cool in my ears. > > > Or outrightly negative ("Level of Aggression!"). > > > > > > So all in all, I think we should work with paranoia. It's the best I > > > can think of right now. And I thought about this a lot. > > > > > > But now let me hear what you think about it! > > > > > > Please do not take too long. My first pull request is almost ready, > > > so let's come to a resolution in the next few days. > > > > > > Best regards, > > > > > > Christian > > > > > > > > > -- > > > Any technology that does not appear magical is insufficiently > > > advanced. > > > -- Gregory Benford > > > _______________________________________________ > > > Owasp-modsecurity-core-rule-set mailing list > > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule > > > -set > > > > -- > > Walter Hop | PGP key: https://lifeforms.nl/pgp > > > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-s > > et > > > -- > mailto:christian.fol...@netnea.com > http://www.christian-folini.ch > twitter: @ChrFolini > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule- > s...@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > ________________________________ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for the > message if altered, changed or falsified. If you are not the intended > recipient > of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule- > s...@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
