Kenneth, On Wed, May 18, 2016 at 03:24:49PM +0800, T. Kenneth Lojo (IRRI) wrote: > "I suggest you run in blocking mode with anomaly scoring on and > a high anomaly limit (-> 1K or more)." > > Do I chance the inbound and outbound values to 1k+?
The relevant one is inbound. It's very unusual to get outbound scores higher then 10 or 20. For convenience, I usually configure the two in sync. Thus both to 1K to start with. Then I tune, then I lower the limits. In multiple iterations down to 10 or 5. > (deny to delayed blocking) > 66 SecDefaultAction "phase:1,delayed blocking,log" > 67 SecDefaultAction "phase:2,delayed blocking,log" What is delayed blocking? Looks like a misunderstanding. I run with pass/pass and let the core rules do the blocking (in the files mentioned by Noël). > and uncommented: > > 152 SecAction \ > ... That's the one. I think you have realised that there are multiple "schools" or strategies to CRS deployments or tuning in ithe general sense. Barry favors to start in detection mode, tune and then go to a strict blocking mode. I am an advocate of starting in blocking mode with anomaly scoring and a high anomaly limit, then work your way down to a low limit. The final result will be almost the same. As Barry tends to disable non-critical rules, you end up with blocking on the critical ones. These are the ones which give you a score of 5. I usually try and tune down to a limit of 5. So it's really identical. It's just a different path to reach the same goal. My key argument for my method is, that people never leave detection mode because they fear the switch to blocking. If you start with blocking (and a high limit), then every iteration lowering the limits helps you to build up confidence in your system and there is no final "switch from detection to blocking". The example which contradicts my statement is Barry who actually switches to blocking in the end. I think this is rare. Ahoj, Christian Ahoj, Christian -- Happiness exists on earth, and it is won through prudent exercise of reason, knowledge of the harmony of the universe, and constant practice of generosity. -- José Martí _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
