Got it.

On Wed, May 18, 2016 at 5:19 PM, Christian Folini <
christian.fol...@netnea.com> wrote:

> Kenneth,
>
> You misinterpreted the "delayed blocking". It meant "pass" and this
> would in effect work like a form of "delayed blocking".
>
> On Wed, May 18, 2016 at 05:13:06PM +0800, T. Kenneth Lojo (IRRI) wrote:
> > So inbound I set to 1000 then Check the logs. What will I look at the
> logs
> > to warrant an adjustment?
>
> It's the "ModSecurity. Warning" messages in the error.log. You need to
> read the various links submitted to you to understand how to tune these
> false positives.
>
> Ahoj,
>
> Christian
>
> >
> > Thank you for your patience guys.
> >
> > Kenneth
> >
> > On Wed, May 18, 2016 at 5:07 PM, Christian Folini <
> > christian.fol...@netnea.com> wrote:
> >
> > > Kenneth,
> > >
> > > On Wed, May 18, 2016 at 03:24:49PM +0800, T. Kenneth Lojo (IRRI) wrote:
> > > > "I suggest you run in blocking mode with anomaly scoring on and
> > > > a high anomaly limit (-> 1K or more)."
> > > >
> > > > Do I chance the inbound and outbound values to 1k+?
> > >
> > > The relevant one is inbound. It's very unusual to get outbound scores
> > > higher then 10 or 20.
> > >
> > > For convenience, I usually configure the two in sync. Thus both to 1K
> to
> > > start with. Then I tune, then I lower the limits. In multiple
> > > iterations down to 10 or 5.
> > >
> > > > (deny to delayed blocking)
> > > > 66 SecDefaultAction "phase:1,delayed blocking,log"
> > > > 67 SecDefaultAction "phase:2,delayed blocking,log"
> > >
> > > What is delayed blocking? Looks like a misunderstanding.
> > > I run with pass/pass and let the core rules do the blocking (in the
> > > files mentioned by Noël).
> > >
> > > > and uncommented:
> > > >
> > > > 152 SecAction \
> > > > ...
> > >
> > > That's the one.
> > >
> > >
> > > I think you have realised that there are multiple "schools" or
> > > strategies to CRS deployments or tuning in ithe general sense.
> > > Barry favors to start in detection mode, tune and then go to a
> > > strict blocking mode. I am an advocate of starting in blocking mode
> > > with anomaly scoring and a high anomaly limit, then work your way
> > > down to a low limit. The final result will be almost the same.
> > > As Barry tends to disable non-critical rules, you end up with blocking
> > > on the critical ones. These are the ones which give you a score
> > > of 5. I usually try and tune down to a limit of 5. So it's
> > > really identical. It's just a different path to reach the same goal.
> > > My key argument for my method is, that people never leave detection
> > > mode because they fear the switch to blocking. If you start with
> > > blocking (and a high limit), then every iteration lowering the limits
> > > helps you to build up confidence in your system and there is no
> > > final "switch from detection to blocking".
> > > The example which contradicts my statement is Barry who actually
> > > switches to blocking in the end. I think this is rare.
> > >
> > > Ahoj,
> > >
> > > Christian
> > >
> > >
> > >
> > >
> > >
> > > Ahoj,
> > >
> > > Christian
> > >
> > >
> > > --
> > > Happiness exists on earth, and it is won through prudent
> > > exercise of reason, knowledge of the harmony of the universe, and
> > > constant practice of generosity.
> > > -- José Martí
> > >
> >
> >
> >
> > --
> > *T. Kenneth S. Lojo*
> > Specialist-Online Media Design
> > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744
> > +63 928 209 1191 (mobile)
> > t.l...@irri.org <g.lav...@irri.org>
> > www.irri.org
> > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image:
> Twitter]
> > <http://twitter.com/RiceResearch> [image: Flickr]
> > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube]
> > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd]
> > <http://www.scribd.com/IRRI_resources> [image: Linkedin]
> > <http://www.linkedin.com/company/international-rice-research-institute>
> [image:
> > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+]
> > <https://plus.google.com/103972671963502739315>
> >
> > The International Rice Research Institute <http://irri.org> is a member
> of
> > the CGIAR <http://www.cgiar.org/>
> >
> > --
> > The International Rice Research Institute <http://irri.org> is a member
> of
> > the CGIAR <http://cgiar.org> consortium
>



-- 
*T. Kenneth S. Lojo*
Specialist-Online Media Design
[image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744
+63 928 209 1191 (mobile)
t.l...@irri.org <g.lav...@irri.org>
www.irri.org
[image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter]
<http://twitter.com/RiceResearch> [image: Flickr]
<http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube]
<http://www.youtube.com/user/irrivideo/featured> [image: Scribd]
<http://www.scribd.com/IRRI_resources> [image: Linkedin]
<http://www.linkedin.com/company/international-rice-research-institute> [image:
Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+]
<https://plus.google.com/103972671963502739315>

The International Rice Research Institute <http://irri.org> is a member of
the CGIAR <http://www.cgiar.org/>

-- 
The International Rice Research Institute <http://irri.org> is a member of 
the CGIAR <http://cgiar.org> consortium
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to