Hey Georgi,
On Thu, Aug 17, 2017 at 07:27:49PM +0300, Georgi Georgiev wrote:
> 1. Is really paranoia level 1 less false postitive for a shared hosting
> environment and in such time enough for protection?
That depends on your assessment of your data, its value and the threat
model.
I think PL1 is base level of security, PL2 is security for data with
some value, PL3 is online banking, PL4 is nuclear power plant. Just as a
rough guidance. ;)
> Does it protect from
> sql injection and xss as I read that they are included in paranoia level2?
Yes, the biggest part of the SQLi protection is the use of the
libinjection library that is included in PL1.
> What is the best practice - initially start with paranoia level 1, tune it
> and then switch to 2?
That is a very good question. In fact if you aim to run in PL2, it is
far easier to start in PL2 immediately and then tune down. The problem
is that if you run in PL1 and have tuned the service to a hard blocking
setting, the enabling of PL2 will bring you new rules, new false
positives and legitimate users being blocked.
> 2. What is your anomaly inbound score set? Have you changed it to
> something other than 5 or you leaved it to 5 and changed the score of the
> rules?
For a productive system it should be 5. After the tuning.
> 3. I am not sure how to tune the tx.score for every rule in the OWASP as
> they are with variables such as follow:
> SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
> "setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
>
>
> setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
> Is this the correct default scores for the specific rulesets and attacks
> that I should tune?
Don't touch the rules. You only want to change the anomaly score limit
in the crs-setup.conf file - and then create your rule exclusions as
documented in the tutorials.
> 4. Should I adjust the percentage of requests that are funnelled into the
> Core Rules below 100 as itâ**s recommended on some pages? Does this affect
> the false positives or only the performance?
This is a feature that is only useful when gauging the performance
impact of ModSec / CRS. You definitely need to have this at 100 or an
attacker can submit an exploit n times and eventually he will bypasss
the rule set based on your sampling rate being below 100%.
Ahoj,
Christian
--
History teaches us that men and nations behave wisely once they have
exhausted all other alternatives.
-- Abba Eban
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
