I am getting started :) I would like to finally ask you these questions. I
would be very thankful if you answer me.
1. Is really paranoia level 1 less false postitive for a shared hosting
environment and in such time enough for protection? Does it protect from sql
injection and xss as I read that they are included in paranoia level2? What is
the best practice - initially start with paranoia level 1, tune it and then
switch to 2?
2. What is your anomaly inbound score set? Have you changed it to something
other than 5 or you leaved it to 5 and changed the score of the rules?
3. I am not sure how to tune the tx.score for every rule in the OWASP as they
are with variables such as follow:
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
Is this the correct default scores for the specific rulesets and attacks that I
should tune?
# All _score variables start at 0, and are incremented by the various rules
# upon detection of a possible attack.
# sql_error_match is used for shortcutting rules for performance reasons.
SecAction \
"id:901200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.anomaly_score=0,\
setvar:tx.sql_injection_score=0,\
setvar:tx.xss_score=0,\
setvar:tx.rfi_score=0,\
setvar:tx.lfi_score=0,\
setvar:tx.rce_score=0,\
setvar:tx.php_injection_score=0,\
setvar:tx.http_violation_score=0,\
setvar:tx.session_fixation_score=0,\
setvar:tx.inbound_anomaly_score=0,\
setvar:tx.outbound_anomaly_score=0,\
setvar:tx.sql_error_match=0
4. Should I adjust the percentage of requests that are funnelled into the Core
Rules below 100 as it’s recommended on some pages? Does this affect the false
positives or only the performance?
Best regards,
Georgi Georgiev
> On Aug 15, 2017, at 6:10 PM, Georgi Georgiev <geo...@serversolution.info>
> wrote:
>
> Ok, I removed the line SecDefaultAction "log,deny,phase:1” so now I am in
> anomaly mode as a first step.
>
> Later, I changed the threshold to 40 and xss stack test no longer been
> blocked.
>
> SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
> "id:901100,\
> phase:1,\
> pass,\
> nolog,\
> setvar:tx.inbound_anomaly_score_threshold=40”
>
> Last, but not least I added tx score to the following rule which is a custom
> one from me as I experimented with the valued, but I am always blocked. Is
> the problem in the rule (40 scores shouldn’t be reached from one rule)?
>
> SecRule ARGS|REQUEST_URI "c99" "phase:3,log,id:153,setvar:tx.anomaly_score=0”
>
> Should I do something other or now I should play only with this score? Are
> there any best practices or something other to suggest me?
>
> Best regards,
> Georgi Georgiev
>
>> On Aug 15, 2017, at 3:55 PM, Christian Folini <christian.fol...@netnea.com
>> <mailto:christian.fol...@netnea.com>> wrote:
>>
>> Georgi,
>>
>> Yes, this is all correct.
>>
>> Glad to help (just not always with enough time at my hands...)
>>
>> Cheers,
>>
>> Christian
>>
>> On Tue, Aug 15, 2017 at 03:42:08PM +0300, Georgi Georgiev wrote:
>>> Thank you about your reply again, it was useful. First of all I would like
>>> to apologize for the stupid for you questions. Currently I see that I have
>>> the following in the config which means from what I read that I am not in
>>> anomaly mode, but in traditional:
>>>
>>> SecDefaultAction "log,deny,phase:1"
>>>
>>> So, by your recommendation I understand that I should remove this lines to
>>> start using anomaly mode. Then, on every rule I can/ should add with
>>> setvar:tx.anomaly_score=5(for example) so I can control it’s score?
>>>
>>> Also to decrease the false positives as a second step from the setup should
>>> I increase the threshold value here - or I am wrong?
>>>
>>> # Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
>>> SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
>>> "id:901100,\
>>> phase:1,\
>>> pass,\
>>> nolog,\
>>> setvar:tx.inbound_anomaly_score_threshold=5"
>>>
>>>
>>>
>>>> On Aug 15, 2017, at 9:52 AM, Christian Folini <christian.fol...@netnea.com
>>>> <mailto:christian.fol...@netnea.com>> wrote:
>>>>
>>>> Hello Georgi,
>>>>
>>>> CRS3 comes with default rule exclusions for WP and Drupal that solve
>>>> many of the base installations FPs. Collaborating with the project on
>>>> a set of Joomla rule exclusions would be most helpful.
>>>>
>>>> Starting with a higher anomaly threshold while you weed out the false
>>>> positives is a method that I advocate in my documentation.
>>>>
>>>> Making sure that you do not base your tuning efforts on attack traffic
>>>> is an obvious problems. There are multiple approaches to this, and none
>>>> of them is hard science. I usually try to start off with tuning based on
>>>> known IP ranges.
>>>>
>>>> This is all discussed in great detail in the series of ModSecurity
>>>> tutorials at https://www.netnea.com/cms/apache-tutorials/
>>>> <https://www.netnea.com/cms/apache-tutorials/>
>>>>
>>>> Besides, I am also running two public ModSec courses in October.
>>>>
>>>> Good luck!
>>>>
>>>> Christian
>>>>
>>>>
>>>> On Mon, Aug 14, 2017 at 03:29:39PM +0300, Georgi Georgiev wrote:
>>>>> Hello,
>>>>> I am deploying mod security with nginx in shared hosting environment and
>>>>> most of the websites are Wordpress, Joomla and drupal. I don’t want to
>>>>> rewrite all the rules of owasp to minimize the false positives. Also, I
>>>>> searched for specific for Wordpress or Joomla ruleset but couldn’t find
>>>>> such thing (it would be very resourceful to research for every Wordpress
>>>>> and Joomla hack, even the most famouse one and to write rules about it,
>>>>> also to read how to write rules :)). Even, if I put mod security
>>>>> initially in a mode that does not block , only to log it would be very
>>>>> hard to see very queer if it’s false positive or whether it come from
>>>>> evil sources.
>>>>>
>>>>> I read that right practice is to change the score of the anomaly but
>>>>> didn’t understand it at all.
>>>>>
>>>>> So, I would like to ask you how you deal with this? I know that false
>>>>> positives will be there all the time, but how you minimize them? Write
>>>>> your own ruleset? Is there any paid ruleset that you can recommend (it
>>>>> think that I found only one paid and many people cry from it). Just I
>>>>> want to explain me the process you follow with the rules :)
>>>>>
>>>>> Thank you in advance!
>>>>> _______________________________________________
>>>>> Owasp-modsecurity-core-rule-set mailing list
>>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>>>>> <mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>>>
>>>> --
>>>> https://www.feistyduck.com/books/modsecurity-handbook/
>>>> <https://www.feistyduck.com/books/modsecurity-handbook/>
>>>> mailto:christian.fol...@netnea.com
>>>> twitter: @ChrFolini
>>>
>>
>> --
>> ModSecurity courses Oct 2017 in London and Zurich
>> https://www.feistyduck.com/training/modsecurity-training-course
>> <https://www.feistyduck.com/training/modsecurity-training-course>
>> https://www.feistyduck.com/books/modsecurity-handbook/
>> mailto:christian.fol...@netnea.com
>> twitter: @ChrFolini
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
