Thank you about your reply again, it was useful. First of all I would like to apologize for the stupid for you questions. Currently I see that I have the following in the config which means from what I read that I am not in anomaly mode, but in traditional:
SecDefaultAction "log,deny,phase:1" So, by your recommendation I understand that I should remove this lines to start using anomaly mode. Then, on every rule I can/ should add with setvar:tx.anomaly_score=5(for example) so I can control it’s score? Also to decrease the false positives as a second step from the setup should I increase the threshold value here - or I am wrong? # Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf) SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ "id:901100,\ phase:1,\ pass,\ nolog,\ setvar:tx.inbound_anomaly_score_threshold=5" > On Aug 15, 2017, at 9:52 AM, Christian Folini <christian.fol...@netnea.com> > wrote: > > Hello Georgi, > > CRS3 comes with default rule exclusions for WP and Drupal that solve > many of the base installations FPs. Collaborating with the project on > a set of Joomla rule exclusions would be most helpful. > > Starting with a higher anomaly threshold while you weed out the false > positives is a method that I advocate in my documentation. > > Making sure that you do not base your tuning efforts on attack traffic > is an obvious problems. There are multiple approaches to this, and none > of them is hard science. I usually try to start off with tuning based on > known IP ranges. > > This is all discussed in great detail in the series of ModSecurity > tutorials at https://www.netnea.com/cms/apache-tutorials/ > > Besides, I am also running two public ModSec courses in October. > > Good luck! > > Christian > > > On Mon, Aug 14, 2017 at 03:29:39PM +0300, Georgi Georgiev wrote: >> Hello, >> I am deploying mod security with nginx in shared hosting environment and >> most of the websites are Wordpress, Joomla and drupal. I don’t want to >> rewrite all the rules of owasp to minimize the false positives. Also, I >> searched for specific for Wordpress or Joomla ruleset but couldn’t find such >> thing (it would be very resourceful to research for every Wordpress and >> Joomla hack, even the most famouse one and to write rules about it, also to >> read how to write rules :)). Even, if I put mod security initially in a mode >> that does not block , only to log it would be very hard to see very queer if >> it’s false positive or whether it come from evil sources. >> >> I read that right practice is to change the score of the anomaly but didn’t >> understand it at all. >> >> So, I would like to ask you how you deal with this? I know that false >> positives will be there all the time, but how you minimize them? Write your >> own ruleset? Is there any paid ruleset that you can recommend (it think that >> I found only one paid and many people cry from it). Just I want to explain >> me the process you follow with the rules :) >> >> Thank you in advance! >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:christian.fol...@netnea.com > twitter: @ChrFolini
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set