Hello Georgi, CRS3 comes with default rule exclusions for WP and Drupal that solve many of the base installations FPs. Collaborating with the project on a set of Joomla rule exclusions would be most helpful.
Starting with a higher anomaly threshold while you weed out the false positives is a method that I advocate in my documentation. Making sure that you do not base your tuning efforts on attack traffic is an obvious problems. There are multiple approaches to this, and none of them is hard science. I usually try to start off with tuning based on known IP ranges. This is all discussed in great detail in the series of ModSecurity tutorials at https://www.netnea.com/cms/apache-tutorials/ Besides, I am also running two public ModSec courses in October. Good luck! Christian On Mon, Aug 14, 2017 at 03:29:39PM +0300, Georgi Georgiev wrote: > Hello, > I am deploying mod security with nginx in shared hosting environment and most > of the websites are Wordpress, Joomla and drupal. I don’t want to rewrite all > the rules of owasp to minimize the false positives. Also, I searched for > specific for Wordpress or Joomla ruleset but couldn’t find such thing (it > would be very resourceful to research for every Wordpress and Joomla hack, > even the most famouse one and to write rules about it, also to read how to > write rules :)). Even, if I put mod security initially in a mode that does > not block , only to log it would be very hard to see very queer if it’s false > positive or whether it come from evil sources. > > I read that right practice is to change the score of the anomaly but didn’t > understand it at all. > > So, I would like to ask you how you deal with this? I know that false > positives will be there all the time, but how you minimize them? Write your > own ruleset? Is there any paid ruleset that you can recommend (it think that > I found only one paid and many people cry from it). Just I want to explain me > the process you follow with the rules :) > > Thank you in advance! > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
