Thank you about your reply again, it was useful. First of all I would like to
apologize for the stupid for you questions. Currently I see that I have the
following in the config which means from what I read that I am not in anomaly
mode, but in traditional:
SecDefaultAction "log,deny,phase:1"
So, by your recommendation I understand that I should remove this lines to
start using anomaly mode. Then, on every rule I can/ should add with
setvar:tx.anomaly_score=5(for example) so I can control it’s score?
Also to decrease the false positives as a second step from the setup should I
increase the threshold value here - or I am wrong?
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=5"
> On Aug 15, 2017, at 9:52 AM, Christian Folini <christian.fol...@netnea.com>
> wrote:
>
> Hello Georgi,
>
> CRS3 comes with default rule exclusions for WP and Drupal that solve
> many of the base installations FPs. Collaborating with the project on
> a set of Joomla rule exclusions would be most helpful.
>
> Starting with a higher anomaly threshold while you weed out the false
> positives is a method that I advocate in my documentation.
>
> Making sure that you do not base your tuning efforts on attack traffic
> is an obvious problems. There are multiple approaches to this, and none
> of them is hard science. I usually try to start off with tuning based on
> known IP ranges.
>
> This is all discussed in great detail in the series of ModSecurity
> tutorials at https://www.netnea.com/cms/apache-tutorials/
>
> Besides, I am also running two public ModSec courses in October.
>
> Good luck!
>
> Christian
>
>
> On Mon, Aug 14, 2017 at 03:29:39PM +0300, Georgi Georgiev wrote:
>> Hello,
>> I am deploying mod security with nginx in shared hosting environment and
>> most of the websites are Wordpress, Joomla and drupal. I don’t want to
>> rewrite all the rules of owasp to minimize the false positives. Also, I
>> searched for specific for Wordpress or Joomla ruleset but couldn’t find such
>> thing (it would be very resourceful to research for every Wordpress and
>> Joomla hack, even the most famouse one and to write rules about it, also to
>> read how to write rules :)). Even, if I put mod security initially in a mode
>> that does not block , only to log it would be very hard to see very queer if
>> it’s false positive or whether it come from evil sources.
>>
>> I read that right practice is to change the score of the anomaly but didn’t
>> understand it at all.
>>
>> So, I would like to ask you how you deal with this? I know that false
>> positives will be there all the time, but how you minimize them? Write your
>> own ruleset? Is there any paid ruleset that you can recommend (it think that
>> I found only one paid and many people cry from it). Just I want to explain
>> me the process you follow with the rules :)
>>
>> Thank you in advance!
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
> --
> https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:christian.fol...@netnea.com
> twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
