Avi,
On Tue, Mar 01, 2016 at 09:06:56PM +0200, Avi Fatal wrote: > We are 200 of websites / webapps for our clients. > From wordpress to .net apps, java and more. > > We want to provide a united waf solution for all of them. > > ... > > Its more of a conceptual question... > How can I manage a solution for 200 of webapps? does it makes sense? Your problem is my day job. It is a very hard problem and there is no easy solution. The Core Rules are generic in nature. They try to achieve a high level of security via a broad set of rules. But applications are very diverse, developers are crazy and users are insane. This makes for an explosive mixture which results in the amount of false positives you have already witnessed. You can not defend 200 websites on day 1. You need to go step by step. There is a latin motto, which I do not know if it is used among English speakers: It's "Divide et Impera!" -> "Divide and Rule". In your context, it means to group your services and prioritize them. Personally, I would suggest to give every service a security target and tag it with the software running. Like: Service 001: medium security, wordpress Service 002: low security, wordpress Service 003: high security, custom java software Service 004: high security, joomla ... Then I suggest you pick a group in the highest security class, which shares the same software. If you have several high security wordpress installations, these are going to be your pilot services. You need to work with a pilot to grow your knowledge. Then follow some of the suggestions of Manuel. They are right on target. It all depends on your setup and how you manage rules and the tuning. You need to develop a ModSec rule and tuning setup that fits your environment and work mode. There is no silver bullet and I still experiment with this depending on my customer. My personal approach is to always use anomaly scoring and starting in blocking mode with an anomaly limit >1000. And then tuning your way down to 20, 10, 5. Running in logging mode will drown you in false positives and you will never switch to blocking. Running in blocking mode without anomaly scoring will have the false positives kill your services (and possibly your job too). It is only with an anomaly scoring blocking mode and a limit of 20 or lower that you will see an impact on the attackers. So this will take time. A lot of time. It works via multiple iterations of tuning sessions. Typically 5-10 iterations. As Chaim pointed out, the new paranoia settings will allow you to start with less false positives than with the 2.2.X series of the core rules. In fact, if you start out now, I suggest to start with 3.0.0rc1 as this saves the transition from 2.2.X to 3.0 next year. If you do start with 3.0.0rc1, I would be very interested to stay in contact as your experience could be very valuable for the community. Under the line: This is going to be very hard. And it will take a lot of time. Not 24h a day, but it will keep a single person occupied full working time for 1-2-3 years, I guess. It's still way cheaper than commercial offerings (for 200 sites!) - outside of those commercial offerings that to a bit of cleansing and fancy reports, but there is no real blocking of attackers behind. Good luck! Christian -- People demand freedom of speech as a compensation for the freedom of thought which they seldom use. -- Soren Kierkegaard _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
