Hi Christian, It worked. I changed the value of 900003 back to the default as when the error was triggered it only gave a value of 3 and nothing higher than that. Everything is ok now. Will continue to monitor. I hope I did right. I also have IT buy the book: Modsecurity handbook by Ivan Rustic
On Wed, May 18, 2016 at 5:22 PM, T. Kenneth Lojo (IRRI) <t.l...@irri.org> wrote: > Got it. > > On Wed, May 18, 2016 at 5:19 PM, Christian Folini < > christian.fol...@netnea.com> wrote: > >> Kenneth, >> >> You misinterpreted the "delayed blocking". It meant "pass" and this >> would in effect work like a form of "delayed blocking". >> >> On Wed, May 18, 2016 at 05:13:06PM +0800, T. Kenneth Lojo (IRRI) wrote: >> > So inbound I set to 1000 then Check the logs. What will I look at the >> logs >> > to warrant an adjustment? >> >> It's the "ModSecurity. Warning" messages in the error.log. You need to >> read the various links submitted to you to understand how to tune these >> false positives. >> >> Ahoj, >> >> Christian >> >> > >> > Thank you for your patience guys. >> > >> > Kenneth >> > >> > On Wed, May 18, 2016 at 5:07 PM, Christian Folini < >> > christian.fol...@netnea.com> wrote: >> > >> > > Kenneth, >> > > >> > > On Wed, May 18, 2016 at 03:24:49PM +0800, T. Kenneth Lojo (IRRI) >> wrote: >> > > > "I suggest you run in blocking mode with anomaly scoring on and >> > > > a high anomaly limit (-> 1K or more)." >> > > > >> > > > Do I chance the inbound and outbound values to 1k+? >> > > >> > > The relevant one is inbound. It's very unusual to get outbound scores >> > > higher then 10 or 20. >> > > >> > > For convenience, I usually configure the two in sync. Thus both to 1K >> to >> > > start with. Then I tune, then I lower the limits. In multiple >> > > iterations down to 10 or 5. >> > > >> > > > (deny to delayed blocking) >> > > > 66 SecDefaultAction "phase:1,delayed blocking,log" >> > > > 67 SecDefaultAction "phase:2,delayed blocking,log" >> > > >> > > What is delayed blocking? Looks like a misunderstanding. >> > > I run with pass/pass and let the core rules do the blocking (in the >> > > files mentioned by Noël). >> > > >> > > > and uncommented: >> > > > >> > > > 152 SecAction \ >> > > > ... >> > > >> > > That's the one. >> > > >> > > >> > > I think you have realised that there are multiple "schools" or >> > > strategies to CRS deployments or tuning in ithe general sense. >> > > Barry favors to start in detection mode, tune and then go to a >> > > strict blocking mode. I am an advocate of starting in blocking mode >> > > with anomaly scoring and a high anomaly limit, then work your way >> > > down to a low limit. The final result will be almost the same. >> > > As Barry tends to disable non-critical rules, you end up with blocking >> > > on the critical ones. These are the ones which give you a score >> > > of 5. I usually try and tune down to a limit of 5. So it's >> > > really identical. It's just a different path to reach the same goal. >> > > My key argument for my method is, that people never leave detection >> > > mode because they fear the switch to blocking. If you start with >> > > blocking (and a high limit), then every iteration lowering the limits >> > > helps you to build up confidence in your system and there is no >> > > final "switch from detection to blocking". >> > > The example which contradicts my statement is Barry who actually >> > > switches to blocking in the end. I think this is rare. >> > > >> > > Ahoj, >> > > >> > > Christian >> > > >> > > >> > > >> > > >> > > >> > > Ahoj, >> > > >> > > Christian >> > > >> > > >> > > -- >> > > Happiness exists on earth, and it is won through prudent >> > > exercise of reason, knowledge of the harmony of the universe, and >> > > constant practice of generosity. >> > > -- José Martí >> > > >> > >> > >> > >> > -- >> > *T. Kenneth S. Lojo* >> > Specialist-Online Media Design >> > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 >> > +63 928 209 1191 (mobile) >> > t.l...@irri.org <g.lav...@irri.org> >> > www.irri.org >> > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: >> Twitter] >> > <http://twitter.com/RiceResearch> [image: Flickr] >> > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] >> > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] >> > <http://www.scribd.com/IRRI_resources> [image: Linkedin] >> > <http://www.linkedin.com/company/international-rice-research-institute> >> [image: >> > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] >> > <https://plus.google.com/103972671963502739315> >> > >> > The International Rice Research Institute <http://irri.org> is a >> member of >> > the CGIAR <http://www.cgiar.org/> >> > >> > -- >> > The International Rice Research Institute <http://irri.org> is a >> member of >> > the CGIAR <http://cgiar.org> consortium >> > > > > -- > *T. Kenneth S. Lojo* > Specialist-Online Media Design > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > +63 928 209 1191 (mobile) > t.l...@irri.org <g.lav...@irri.org> > www.irri.org > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] > <http://twitter.com/RiceResearch> [image: Flickr] > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > <http://www.linkedin.com/company/international-rice-research-institute> > [image: > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > <https://plus.google.com/103972671963502739315> > > The International Rice Research Institute <http://irri.org> is a member > of the CGIAR <http://www.cgiar.org/> > -- *T. Kenneth S. Lojo* Specialist-Online Media Design [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 +63 928 209 1191 (mobile) t.l...@irri.org <g.lav...@irri.org> www.irri.org [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] <http://twitter.com/RiceResearch> [image: Flickr] <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] <http://www.scribd.com/IRRI_resources> [image: Linkedin] <http://www.linkedin.com/company/international-rice-research-institute> [image: Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] <https://plus.google.com/103972671963502739315> The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://www.cgiar.org/> -- The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://cgiar.org> consortium
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
