Ok, I removed the line SecDefaultAction "log,deny,phase:1” so now I am in
anomaly mode as a first step.
Later, I changed the threshold to 40 and xss stack test no longer been blocked.
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=40”
Last, but not least I added tx score to the following rule which is a custom
one from me as I experimented with the valued, but I am always blocked. Is the
problem in the rule (40 scores shouldn’t be reached from one rule)?
SecRule ARGS|REQUEST_URI "c99" "phase:3,log,id:153,setvar:tx.anomaly_score=0”
Should I do something other or now I should play only with this score? Are
there any best practices or something other to suggest me?
Best regards,
Georgi Georgiev
> On Aug 15, 2017, at 3:55 PM, Christian Folini <christian.fol...@netnea.com>
> wrote:
>
> Georgi,
>
> Yes, this is all correct.
>
> Glad to help (just not always with enough time at my hands...)
>
> Cheers,
>
> Christian
>
> On Tue, Aug 15, 2017 at 03:42:08PM +0300, Georgi Georgiev wrote:
>> Thank you about your reply again, it was useful. First of all I would like
>> to apologize for the stupid for you questions. Currently I see that I have
>> the following in the config which means from what I read that I am not in
>> anomaly mode, but in traditional:
>>
>> SecDefaultAction "log,deny,phase:1"
>>
>> So, by your recommendation I understand that I should remove this lines to
>> start using anomaly mode. Then, on every rule I can/ should add with
>> setvar:tx.anomaly_score=5(for example) so I can control it’s score?
>>
>> Also to decrease the false positives as a second step from the setup should
>> I increase the threshold value here - or I am wrong?
>>
>> # Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
>> SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
>> "id:901100,\
>> phase:1,\
>> pass,\
>> nolog,\
>> setvar:tx.inbound_anomaly_score_threshold=5"
>>
>>
>>
>>> On Aug 15, 2017, at 9:52 AM, Christian Folini <christian.fol...@netnea.com>
>>> wrote:
>>>
>>> Hello Georgi,
>>>
>>> CRS3 comes with default rule exclusions for WP and Drupal that solve
>>> many of the base installations FPs. Collaborating with the project on
>>> a set of Joomla rule exclusions would be most helpful.
>>>
>>> Starting with a higher anomaly threshold while you weed out the false
>>> positives is a method that I advocate in my documentation.
>>>
>>> Making sure that you do not base your tuning efforts on attack traffic
>>> is an obvious problems. There are multiple approaches to this, and none
>>> of them is hard science. I usually try to start off with tuning based on
>>> known IP ranges.
>>>
>>> This is all discussed in great detail in the series of ModSecurity
>>> tutorials at https://www.netnea.com/cms/apache-tutorials/
>>>
>>> Besides, I am also running two public ModSec courses in October.
>>>
>>> Good luck!
>>>
>>> Christian
>>>
>>>
>>> On Mon, Aug 14, 2017 at 03:29:39PM +0300, Georgi Georgiev wrote:
>>>> Hello,
>>>> I am deploying mod security with nginx in shared hosting environment and
>>>> most of the websites are Wordpress, Joomla and drupal. I don’t want to
>>>> rewrite all the rules of owasp to minimize the false positives. Also, I
>>>> searched for specific for Wordpress or Joomla ruleset but couldn’t find
>>>> such thing (it would be very resourceful to research for every Wordpress
>>>> and Joomla hack, even the most famouse one and to write rules about it,
>>>> also to read how to write rules :)). Even, if I put mod security initially
>>>> in a mode that does not block , only to log it would be very hard to see
>>>> very queer if it’s false positive or whether it come from evil sources.
>>>>
>>>> I read that right practice is to change the score of the anomaly but
>>>> didn’t understand it at all.
>>>>
>>>> So, I would like to ask you how you deal with this? I know that false
>>>> positives will be there all the time, but how you minimize them? Write
>>>> your own ruleset? Is there any paid ruleset that you can recommend (it
>>>> think that I found only one paid and many people cry from it). Just I want
>>>> to explain me the process you follow with the rules :)
>>>>
>>>> Thank you in advance!
>>>> _______________________________________________
>>>> Owasp-modsecurity-core-rule-set mailing list
>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>>
>>> --
>>> https://www.feistyduck.com/books/modsecurity-handbook/
>>> mailto:christian.fol...@netnea.com
>>> twitter: @ChrFolini
>>
>
> --
> ModSecurity courses Oct 2017 in London and Zurich
> https://www.feistyduck.com/training/modsecurity-training-course
> https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:christian.fol...@netnea.com
> twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
