Hi Christian, Some very good points!
I agree with your assessment about the rule complexities. I agree that keeping rules simple is extremely important, especially given our low resources. > But of course, a real attack will trigger 3 times. And I > do not mind that. If there is a real attack then I am > very open for anomaly score to grow at great velocity. And > in fact that is the behaviour of the 2.2.X core rules: This is true, too. This unbalanced distribution of anomaly scores between parts of the CRS is already there since CRS v2. And it’s not that big of a problem. If you are paranoid, you should probably use 5 as your blocking threshold anyway. In that case, a higher anomaly score has no difference on a blocking decision. In a way, it might even be useful to an admin to get the multiple rules logged if they run at high paranoia level. They can instantly see all the relevant rule ID’s, there is no magic, and people can simply apply their whitelistings so that they also cover the lower rules. > When I read Franziska's message, I was ready to agree. But > then I thought about it and I came to the conclusion, that > alert cumulation is not ideal, but everything else is even > worse. > > Let's keep it simple even if it brings a few more alerts. Good characterization. Let’s keep it simple, the drawbacks of multiple alerts are likely not worth the added burden of reducing them. -- Walter Hop | PGP key: https://lifeforms.nl/pgp
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
