Got it. On Wed, May 18, 2016 at 5:19 PM, Christian Folini < christian.fol...@netnea.com> wrote:
> Kenneth, > > You misinterpreted the "delayed blocking". It meant "pass" and this > would in effect work like a form of "delayed blocking". > > On Wed, May 18, 2016 at 05:13:06PM +0800, T. Kenneth Lojo (IRRI) wrote: > > So inbound I set to 1000 then Check the logs. What will I look at the > logs > > to warrant an adjustment? > > It's the "ModSecurity. Warning" messages in the error.log. You need to > read the various links submitted to you to understand how to tune these > false positives. > > Ahoj, > > Christian > > > > > Thank you for your patience guys. > > > > Kenneth > > > > On Wed, May 18, 2016 at 5:07 PM, Christian Folini < > > christian.fol...@netnea.com> wrote: > > > > > Kenneth, > > > > > > On Wed, May 18, 2016 at 03:24:49PM +0800, T. Kenneth Lojo (IRRI) wrote: > > > > "I suggest you run in blocking mode with anomaly scoring on and > > > > a high anomaly limit (-> 1K or more)." > > > > > > > > Do I chance the inbound and outbound values to 1k+? > > > > > > The relevant one is inbound. It's very unusual to get outbound scores > > > higher then 10 or 20. > > > > > > For convenience, I usually configure the two in sync. Thus both to 1K > to > > > start with. Then I tune, then I lower the limits. In multiple > > > iterations down to 10 or 5. > > > > > > > (deny to delayed blocking) > > > > 66 SecDefaultAction "phase:1,delayed blocking,log" > > > > 67 SecDefaultAction "phase:2,delayed blocking,log" > > > > > > What is delayed blocking? Looks like a misunderstanding. > > > I run with pass/pass and let the core rules do the blocking (in the > > > files mentioned by Noël). > > > > > > > and uncommented: > > > > > > > > 152 SecAction \ > > > > ... > > > > > > That's the one. > > > > > > > > > I think you have realised that there are multiple "schools" or > > > strategies to CRS deployments or tuning in ithe general sense. > > > Barry favors to start in detection mode, tune and then go to a > > > strict blocking mode. I am an advocate of starting in blocking mode > > > with anomaly scoring and a high anomaly limit, then work your way > > > down to a low limit. The final result will be almost the same. > > > As Barry tends to disable non-critical rules, you end up with blocking > > > on the critical ones. These are the ones which give you a score > > > of 5. I usually try and tune down to a limit of 5. So it's > > > really identical. It's just a different path to reach the same goal. > > > My key argument for my method is, that people never leave detection > > > mode because they fear the switch to blocking. If you start with > > > blocking (and a high limit), then every iteration lowering the limits > > > helps you to build up confidence in your system and there is no > > > final "switch from detection to blocking". > > > The example which contradicts my statement is Barry who actually > > > switches to blocking in the end. I think this is rare. > > > > > > Ahoj, > > > > > > Christian > > > > > > > > > > > > > > > > > > Ahoj, > > > > > > Christian > > > > > > > > > -- > > > Happiness exists on earth, and it is won through prudent > > > exercise of reason, knowledge of the harmony of the universe, and > > > constant practice of generosity. > > > -- José Martí > > > > > > > > > > > -- > > *T. Kenneth S. Lojo* > > Specialist-Online Media Design > > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > > +63 928 209 1191 (mobile) > > t.l...@irri.org <g.lav...@irri.org> > > www.irri.org > > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: > Twitter] > > <http://twitter.com/RiceResearch> [image: Flickr] > > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] > > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > > <http://www.linkedin.com/company/international-rice-research-institute> > [image: > > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > > <https://plus.google.com/103972671963502739315> > > > > The International Rice Research Institute <http://irri.org> is a member > of > > the CGIAR <http://www.cgiar.org/> > > > > -- > > The International Rice Research Institute <http://irri.org> is a member > of > > the CGIAR <http://cgiar.org> consortium > -- *T. Kenneth S. Lojo* Specialist-Online Media Design [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 +63 928 209 1191 (mobile) t.l...@irri.org <g.lav...@irri.org> www.irri.org [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] <http://twitter.com/RiceResearch> [image: Flickr] <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] <http://www.scribd.com/IRRI_resources> [image: Linkedin] <http://www.linkedin.com/company/international-rice-research-institute> [image: Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] <https://plus.google.com/103972671963502739315> The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://www.cgiar.org/> -- The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://cgiar.org> consortium
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set