Kenneth, You misinterpreted the "delayed blocking". It meant "pass" and this would in effect work like a form of "delayed blocking".
On Wed, May 18, 2016 at 05:13:06PM +0800, T. Kenneth Lojo (IRRI) wrote: > So inbound I set to 1000 then Check the logs. What will I look at the logs > to warrant an adjustment? It's the "ModSecurity. Warning" messages in the error.log. You need to read the various links submitted to you to understand how to tune these false positives. Ahoj, Christian > > Thank you for your patience guys. > > Kenneth > > On Wed, May 18, 2016 at 5:07 PM, Christian Folini < > christian.fol...@netnea.com> wrote: > > > Kenneth, > > > > On Wed, May 18, 2016 at 03:24:49PM +0800, T. Kenneth Lojo (IRRI) wrote: > > > "I suggest you run in blocking mode with anomaly scoring on and > > > a high anomaly limit (-> 1K or more)." > > > > > > Do I chance the inbound and outbound values to 1k+? > > > > The relevant one is inbound. It's very unusual to get outbound scores > > higher then 10 or 20. > > > > For convenience, I usually configure the two in sync. Thus both to 1K to > > start with. Then I tune, then I lower the limits. In multiple > > iterations down to 10 or 5. > > > > > (deny to delayed blocking) > > > 66 SecDefaultAction "phase:1,delayed blocking,log" > > > 67 SecDefaultAction "phase:2,delayed blocking,log" > > > > What is delayed blocking? Looks like a misunderstanding. > > I run with pass/pass and let the core rules do the blocking (in the > > files mentioned by Noël). > > > > > and uncommented: > > > > > > 152 SecAction \ > > > ... > > > > That's the one. > > > > > > I think you have realised that there are multiple "schools" or > > strategies to CRS deployments or tuning in ithe general sense. > > Barry favors to start in detection mode, tune and then go to a > > strict blocking mode. I am an advocate of starting in blocking mode > > with anomaly scoring and a high anomaly limit, then work your way > > down to a low limit. The final result will be almost the same. > > As Barry tends to disable non-critical rules, you end up with blocking > > on the critical ones. These are the ones which give you a score > > of 5. I usually try and tune down to a limit of 5. So it's > > really identical. It's just a different path to reach the same goal. > > My key argument for my method is, that people never leave detection > > mode because they fear the switch to blocking. If you start with > > blocking (and a high limit), then every iteration lowering the limits > > helps you to build up confidence in your system and there is no > > final "switch from detection to blocking". > > The example which contradicts my statement is Barry who actually > > switches to blocking in the end. I think this is rare. > > > > Ahoj, > > > > Christian > > > > > > > > > > > > Ahoj, > > > > Christian > > > > > > -- > > Happiness exists on earth, and it is won through prudent > > exercise of reason, knowledge of the harmony of the universe, and > > constant practice of generosity. > > -- José Martí > > > > > > -- > *T. Kenneth S. Lojo* > Specialist-Online Media Design > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > +63 928 209 1191 (mobile) > t.l...@irri.org <g.lav...@irri.org> > www.irri.org > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] > <http://twitter.com/RiceResearch> [image: Flickr] > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > <http://www.linkedin.com/company/international-rice-research-institute> > [image: > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > <https://plus.google.com/103972671963502739315> > > The International Rice Research Institute <http://irri.org> is a member of > the CGIAR <http://www.cgiar.org/> > > -- > The International Rice Research Institute <http://irri.org> is a member of > the CGIAR <http://cgiar.org> consortium _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
