Hey Kirk,
Thank you for your fully documented recipe. Glad it works.
This is almost ready for a complete blogpost on the subject:
- Step 1: Running rules only on certain parameters
- Step 2: Running rules only on certain parameters on certain paths
Interested to write that?
Ahoj,
Christian
Thanks Christian, I appreciate your help!
On Wed, Aug 16, 2017 at 12:46 AM, Christian Folini <
christian.fol...@netnea.com> wrote:
> Do you have a paper copy of the book? If not, then please give me your
> address and I will have a copy be sent your way. Ironically, it will
> come with the bug,
Kirk,
This is a tricky one. Actually your recipe should work. But then it does
not. I dug a bit deeper and found out an issue.
SecRuleUpdateTargetByID 942000-942999 "ARGS:SearchTerm"
adds the arg SearchTerm to all rules including steering commando rules
used for Paranoia Levels. And this seems
Hey, hey,
On Tue, Aug 15, 2017 at 10:31:34AM +0300, Georgi Georgiev wrote:
> Thank you about your reply. I know about the exclusion, but I don’t
> think this is the perfect solution, because if I exclude all the false
> positive rules there will be 2-3 maybe working rules at all :)
That is not
Great! Thanks Christian!
I did try and figure out what was going on with the higher debug log
levels, but didn't realise that was what was happening.
I think by "steering commando rules" you mean the rules that check which
paranoia level is set, and then jump to the marker at the end of the
Thank you about your reply. I know about the exclusion, but I don’t think this
is the perfect solution, because if I exclude all the false positive rules
there will be 2-3 maybe working rules at all :) Maybe they should be tunned?
What is going on when the anomaly score is higher - this I
Thank you about your reply again, it was useful. First of all I would like to
apologize for the stupid for you questions. Currently I see that I have the
following in the config which means from what I read that I am not in anomaly
mode, but in traditional:
SecDefaultAction "log,deny,phase:1"
Hey Kirk,
Thank you for trying this out so quickly. This is very helpful.
On Tue, Aug 15, 2017 at 09:12:37PM +1200, Kirk Jackson wrote:
> I think by "steering commando rules" you mean the rules that check which
> paranoia level is set, and then jump to the marker at the end of the file?
Georgi,
Yes, this is all correct.
Glad to help (just not always with enough time at my hands...)
Cheers,
Christian
On Tue, Aug 15, 2017 at 03:42:08PM +0300, Georgi Georgiev wrote:
> Thank you about your reply again, it was useful. First of all I would like to
> apologize for the stupid for
