Thanks to all. On Thu, May 19, 2016 at 4:21 PM, T. Kenneth Lojo (IRRI) <t.l...@irri.org> wrote:
> Hi Christian, > > It worked. I changed the value of 900003 back to the default as when the > error was triggered it only gave a value of 3 and nothing higher than that. > Everything is ok now. Will continue to monitor. I hope I did right. I also > have IT buy the book: Modsecurity handbook by Ivan Rustic > > On Wed, May 18, 2016 at 5:22 PM, T. Kenneth Lojo (IRRI) <t.l...@irri.org> > wrote: > >> Got it. >> >> On Wed, May 18, 2016 at 5:19 PM, Christian Folini < >> christian.fol...@netnea.com> wrote: >> >>> Kenneth, >>> >>> You misinterpreted the "delayed blocking". It meant "pass" and this >>> would in effect work like a form of "delayed blocking". >>> >>> On Wed, May 18, 2016 at 05:13:06PM +0800, T. Kenneth Lojo (IRRI) wrote: >>> > So inbound I set to 1000 then Check the logs. What will I look at the >>> logs >>> > to warrant an adjustment? >>> >>> It's the "ModSecurity. Warning" messages in the error.log. You need to >>> read the various links submitted to you to understand how to tune these >>> false positives. >>> >>> Ahoj, >>> >>> Christian >>> >>> > >>> > Thank you for your patience guys. >>> > >>> > Kenneth >>> > >>> > On Wed, May 18, 2016 at 5:07 PM, Christian Folini < >>> > christian.fol...@netnea.com> wrote: >>> > >>> > > Kenneth, >>> > > >>> > > On Wed, May 18, 2016 at 03:24:49PM +0800, T. Kenneth Lojo (IRRI) >>> wrote: >>> > > > "I suggest you run in blocking mode with anomaly scoring on and >>> > > > a high anomaly limit (-> 1K or more)." >>> > > > >>> > > > Do I chance the inbound and outbound values to 1k+? >>> > > >>> > > The relevant one is inbound. It's very unusual to get outbound scores >>> > > higher then 10 or 20. >>> > > >>> > > For convenience, I usually configure the two in sync. Thus both to >>> 1K to >>> > > start with. Then I tune, then I lower the limits. In multiple >>> > > iterations down to 10 or 5. >>> > > >>> > > > (deny to delayed blocking) >>> > > > 66 SecDefaultAction "phase:1,delayed blocking,log" >>> > > > 67 SecDefaultAction "phase:2,delayed blocking,log" >>> > > >>> > > What is delayed blocking? Looks like a misunderstanding. >>> > > I run with pass/pass and let the core rules do the blocking (in the >>> > > files mentioned by Noël). >>> > > >>> > > > and uncommented: >>> > > > >>> > > > 152 SecAction \ >>> > > > ... >>> > > >>> > > That's the one. >>> > > >>> > > >>> > > I think you have realised that there are multiple "schools" or >>> > > strategies to CRS deployments or tuning in ithe general sense. >>> > > Barry favors to start in detection mode, tune and then go to a >>> > > strict blocking mode. I am an advocate of starting in blocking mode >>> > > with anomaly scoring and a high anomaly limit, then work your way >>> > > down to a low limit. The final result will be almost the same. >>> > > As Barry tends to disable non-critical rules, you end up with >>> blocking >>> > > on the critical ones. These are the ones which give you a score >>> > > of 5. I usually try and tune down to a limit of 5. So it's >>> > > really identical. It's just a different path to reach the same goal. >>> > > My key argument for my method is, that people never leave detection >>> > > mode because they fear the switch to blocking. If you start with >>> > > blocking (and a high limit), then every iteration lowering the limits >>> > > helps you to build up confidence in your system and there is no >>> > > final "switch from detection to blocking". >>> > > The example which contradicts my statement is Barry who actually >>> > > switches to blocking in the end. I think this is rare. >>> > > >>> > > Ahoj, >>> > > >>> > > Christian >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > Ahoj, >>> > > >>> > > Christian >>> > > >>> > > >>> > > -- >>> > > Happiness exists on earth, and it is won through prudent >>> > > exercise of reason, knowledge of the harmony of the universe, and >>> > > constant practice of generosity. >>> > > -- José Martí >>> > > >>> > >>> > >>> > >>> > -- >>> > *T. Kenneth S. Lojo* >>> > Specialist-Online Media Design >>> > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 >>> > +63 928 209 1191 (mobile) >>> > t.l...@irri.org <g.lav...@irri.org> >>> > www.irri.org >>> > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: >>> Twitter] >>> > <http://twitter.com/RiceResearch> [image: Flickr] >>> > <http://www.flickr.com/photos/ricephotos/collections/> [image: >>> Youtube] >>> > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] >>> > <http://www.scribd.com/IRRI_resources> [image: Linkedin] >>> > <http://www.linkedin.com/company/international-rice-research-institute> >>> [image: >>> > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] >>> > <https://plus.google.com/103972671963502739315> >>> > >>> > The International Rice Research Institute <http://irri.org> is a >>> member of >>> > the CGIAR <http://www.cgiar.org/> >>> > >>> > -- >>> > The International Rice Research Institute <http://irri.org> is a >>> member of >>> > the CGIAR <http://cgiar.org> consortium >>> >> >> >> >> -- >> *T. Kenneth S. Lojo* >> Specialist-Online Media Design >> [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 >> +63 928 209 1191 (mobile) >> t.l...@irri.org <g.lav...@irri.org> >> www.irri.org >> [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: >> Twitter] <http://twitter.com/RiceResearch> [image: Flickr] >> <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] >> <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] >> <http://www.scribd.com/IRRI_resources> [image: Linkedin] >> <http://www.linkedin.com/company/international-rice-research-institute> >> [image: >> Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] >> <https://plus.google.com/103972671963502739315> >> >> The International Rice Research Institute <http://irri.org> is a member >> of the CGIAR <http://www.cgiar.org/> >> > > > > -- > *T. Kenneth S. Lojo* > Specialist-Online Media Design > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > +63 928 209 1191 (mobile) > t.l...@irri.org <g.lav...@irri.org> > www.irri.org > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] > <http://twitter.com/RiceResearch> [image: Flickr] > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > <http://www.linkedin.com/company/international-rice-research-institute> > [image: > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > <https://plus.google.com/103972671963502739315> > > The International Rice Research Institute <http://irri.org> is a member > of the CGIAR <http://www.cgiar.org/> > -- *T. Kenneth S. Lojo* Specialist-Online Media Design [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 +63 928 209 1191 (mobile) t.l...@irri.org <g.lav...@irri.org> www.irri.org [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] <http://twitter.com/RiceResearch> [image: Flickr] <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] <http://www.scribd.com/IRRI_resources> [image: Linkedin] <http://www.linkedin.com/company/international-rice-research-institute> [image: Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] <https://plus.google.com/103972671963502739315> The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://www.cgiar.org/> -- The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://cgiar.org> consortium
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
