Georgi, Yes, this is all correct.
Glad to help (just not always with enough time at my hands...) Cheers, Christian On Tue, Aug 15, 2017 at 03:42:08PM +0300, Georgi Georgiev wrote: > Thank you about your reply again, it was useful. First of all I would like to > apologize for the stupid for you questions. Currently I see that I have the > following in the config which means from what I read that I am not in anomaly > mode, but in traditional: > > SecDefaultAction "log,deny,phase:1" > > So, by your recommendation I understand that I should remove this lines to > start using anomaly mode. Then, on every rule I can/ should add with > setvar:tx.anomaly_score=5(for example) so I can control it’s score? > > Also to decrease the false positives as a second step from the setup should I > increase the threshold value here - or I am wrong? > > # Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf) > SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ > "id:901100,\ > phase:1,\ > pass,\ > nolog,\ > setvar:tx.inbound_anomaly_score_threshold=5" > > > > > On Aug 15, 2017, at 9:52 AM, Christian Folini <christian.fol...@netnea.com> > > wrote: > > > > Hello Georgi, > > > > CRS3 comes with default rule exclusions for WP and Drupal that solve > > many of the base installations FPs. Collaborating with the project on > > a set of Joomla rule exclusions would be most helpful. > > > > Starting with a higher anomaly threshold while you weed out the false > > positives is a method that I advocate in my documentation. > > > > Making sure that you do not base your tuning efforts on attack traffic > > is an obvious problems. There are multiple approaches to this, and none > > of them is hard science. I usually try to start off with tuning based on > > known IP ranges. > > > > This is all discussed in great detail in the series of ModSecurity > > tutorials at https://www.netnea.com/cms/apache-tutorials/ > > > > Besides, I am also running two public ModSec courses in October. > > > > Good luck! > > > > Christian > > > > > > On Mon, Aug 14, 2017 at 03:29:39PM +0300, Georgi Georgiev wrote: > >> Hello, > >> I am deploying mod security with nginx in shared hosting environment and > >> most of the websites are Wordpress, Joomla and drupal. I don’t want to > >> rewrite all the rules of owasp to minimize the false positives. Also, I > >> searched for specific for Wordpress or Joomla ruleset but couldn’t find > >> such thing (it would be very resourceful to research for every Wordpress > >> and Joomla hack, even the most famouse one and to write rules about it, > >> also to read how to write rules :)). Even, if I put mod security initially > >> in a mode that does not block , only to log it would be very hard to see > >> very queer if it’s false positive or whether it come from evil sources. > >> > >> I read that right practice is to change the score of the anomaly but > >> didn’t understand it at all. > >> > >> So, I would like to ask you how you deal with this? I know that false > >> positives will be there all the time, but how you minimize them? Write > >> your own ruleset? Is there any paid ruleset that you can recommend (it > >> think that I found only one paid and many people cry from it). Just I want > >> to explain me the process you follow with the rules :) > >> > >> Thank you in advance! > >> _______________________________________________ > >> Owasp-modsecurity-core-rule-set mailing list > >> Owasp-modsecurity-core-rule-set@lists.owasp.org > >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > -- > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:christian.fol...@netnea.com > > twitter: @ChrFolini > -- ModSecurity courses Oct 2017 in London and Zurich https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
