[Owasp-modsecurity-core-rule-set] Help with Cole Rule Set
ryan.barnett at breach.com
Mon Aug 3 10:24:23 EDT 2009
On Monday 03 August 2009 12:03:06 am Josue Del Valle wrote:
> I am new to mod_security and new to Apache. I've been asked by my employer
> to configure and secure an Apache server that will run on Windows. I've
> been reading about the Core Rules and understand that initially they should
> be set to DetectOnly mode and that I should check my logs for false
> positives before turning them on. What I am not sure is what I will be
> looking for in the logs. The type of attacks or false positives blocks,
> How can I identify false positives? For how long should I run it on
> DetectOnly mode? Bottom line, I will really appreciate if someone can
> point me in the right direction. Thanks in advance for your help.
Welcome to ModSecurity! As far as the SecRuleEngine goes
apache/2.5.9/modsecurity2-apache-reference.html#N10A4F) in the older version
of the Core Rule Set (CRS) we certainly did recommend that this be set to
DetectionOnly. The rationale for this was so that you would not mistakenly
block any legitimate transactions before you had a chance to tune the rules a
bit for your environment. In the current CRS v2.0.0, we have changed how the
rules work. The SecRuleEngine is set to On (to allow blocking) however the
rules all use the "block" action which reference the SecDefaultAction setting
(which is set to pass).
Specifically, the rules are now running in a "collaborative" mode and use an
anomaly scoring system. Each rule, if it triggers, will increase a
transactional anomaly score. At the end of phase:2 (the last chance to block
the inbound request), you can set an appropriate anomaly score for your site.
This lessens the likelihood of false positives. Basically, I would suggest
that you review/update the modsecurity_crs_49_enforcement.conf file and make
sure that the anomaly scoring level is set to around 20 and that there is no
blocking action. This will allow your rules to generate alerts but not block.
As for the false positives, I would suggest that you review the Data Format
apache/2.5.9/modsecurity2-data-formats.html) so that you understand what data
is presented. The alert data will tell you what rule matched, where in the
transaction the match occurred and what data matched. You can then review the
full audit log data of the transaction to confirm if the match was correct or
By the way - the OWASP CRS project site needs to have better information to
address your questions. We will update it soon.
Hope this info helps.
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set