Thank you about your reply. I know about the exclusion, but I don’t think this is the perfect solution, because if I exclude all the false positive rules there will be 2-3 maybe working rules at all :) Maybe they should be tunned? What is going on when the anomaly score is higher - this I couldn’t understand - users are not blocked or what? If I understand right I can start with high anomaly score for all rule with equal score until I tune them perfectly.
In the nginx I have ratelimits and I prefer to start with most common Wordpress / Joomla hacks rule that can stop some part of the hacks, because this is the biggest problem Best regards, Georgi Georgiev . > On Aug 15, 2017, at 9:52 AM, Christian Folini <christian.fol...@netnea.com> > wrote: > > Hello Georgi, > > CRS3 comes with default rule exclusions for WP and Drupal that solve > many of the base installations FPs. Collaborating with the project on > a set of Joomla rule exclusions would be most helpful. > > Starting with a higher anomaly threshold while you weed out the false > positives is a method that I advocate in my documentation. > > Making sure that you do not base your tuning efforts on attack traffic > is an obvious problems. There are multiple approaches to this, and none > of them is hard science. I usually try to start off with tuning based on > known IP ranges. > > This is all discussed in great detail in the series of ModSecurity > tutorials at https://www.netnea.com/cms/apache-tutorials/ > > Besides, I am also running two public ModSec courses in October. > > Good luck! > > Christian > > > On Mon, Aug 14, 2017 at 03:29:39PM +0300, Georgi Georgiev wrote: >> Hello, >> I am deploying mod security with nginx in shared hosting environment and >> most of the websites are Wordpress, Joomla and drupal. I don’t want to >> rewrite all the rules of owasp to minimize the false positives. Also, I >> searched for specific for Wordpress or Joomla ruleset but couldn’t find such >> thing (it would be very resourceful to research for every Wordpress and >> Joomla hack, even the most famouse one and to write rules about it, also to >> read how to write rules :)). Even, if I put mod security initially in a mode >> that does not block , only to log it would be very hard to see very queer if >> it’s false positive or whether it come from evil sources. >> >> I read that right practice is to change the score of the anomaly but didn’t >> understand it at all. >> >> So, I would like to ask you how you deal with this? I know that false >> positives will be there all the time, but how you minimize them? Write your >> own ruleset? Is there any paid ruleset that you can recommend (it think that >> I found only one paid and many people cry from it). Just I want to explain >> me the process you follow with the rules :) >> >> Thank you in advance! >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:christian.fol...@netnea.com > twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
