Franziska, Thanks for chiming in.
On Tue, Mar 08, 2016 at 08:50:43AM +0100, Franziska Buehler wrote: > I don’t like the fact, that with a higher paranoia level you get a > higher score, caused by these stricter siblings. You also don’t. That > is what you described with: “So cumulation has an unbalancing effect.“ > That could mislead to raise the anomaly threshold at a higher paranoia > level. That’s dangerous. That is a troubling thought, I admit. A few weeks back, I wrote down a setting quadrant for anomaly limits and paranoia level. It went like this: high anomaly limit / low paranoia: | high anomaly limit / high paranoia -> untuned system | -> you are nuts -----------------------------------|----------------------------------- low anomaly limit / low paranoia: | low anomaly limit / high paranoia -> tuned system with standard | -> tuned system with high security security standard | standard Something like this has to go into the documentation. > And your approach to choose a low paranoia level, then tune and choose > a higher level also makes sense. Yes, I think so. Glad you agree. > That should simplify the log’s readability and If someone is familiar > with these stricter siblings he immediately understands the system and > identifies why a request was blocked. Exactly. That's what makes your proposal a good one. > At the end I agree with both of you. Let’s keep it simple and avoid > unnecessary complexity! Thanks. Ahoj, Christian -- Learn this lesson, that to be self-contented is to be vile and ignorant, and that to aspire is better than to be blindly and impotently happy. -- Edwin Abbott Abbott _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
