[Owasp-modsecurity-core-rule-set] Help with Cole Rule Set

Ryan Barnett ryan.barnett at breach.com
Mon Aug 3 10:24:23 EDT 2009

On Monday 03 August 2009 12:03:06 am Josue Del Valle wrote:
> Hi,
> I am new to mod_security and new to Apache.  I've been asked by my employer
> to configure and secure an Apache server that will run on Windows.  I've
> been reading about the Core Rules and understand that initially they should
> be set to DetectOnly mode and that I should check my logs for false
> positives before turning them on.  What I am not sure is what I will be
> looking for in the logs.  The type of attacks or false positives blocks,  
> How can I identify false positives?  For how long should I run it on
> DetectOnly mode?  Bottom line, I will really appreciate if someone can
> point me in the right direction.  Thanks in advance for your help.

Welcome to ModSecurity!  As far as the SecRuleEngine goes 
apache/2.5.9/modsecurity2-apache-reference.html#N10A4F) in the older version 
of the Core Rule Set (CRS) we certainly did recommend that this be set to 
DetectionOnly.  The rationale for this was so that you would not mistakenly 
block any legitimate transactions before you had a chance to tune the rules a 
bit for your environment.  In the current CRS v2.0.0, we have changed how the 
rules work.  The SecRuleEngine is set to On (to allow blocking) however the 
rules all use the "block" action which reference the SecDefaultAction setting 
(which is set to pass).  

Specifically, the rules are now running in a "collaborative" mode and use an 
anomaly scoring system.  Each rule, if it triggers, will increase a 
transactional anomaly score.  At the end of phase:2 (the last chance to block 
the inbound request), you can set an appropriate anomaly score for your site.  
This lessens the likelihood of false positives.  Basically, I would suggest 
that you review/update the modsecurity_crs_49_enforcement.conf file and make 
sure that the anomaly scoring level is set to around 20 and that there is no 
blocking action.  This will allow your rules to generate alerts but not block.

As for the false positives,  I would suggest that you review the Data Format 
documentation (http://www.modsecurity.org/documentation/modsecurity-
apache/2.5.9/modsecurity2-data-formats.html) so that you understand what data 
is presented.  The alert data will tell you what rule matched, where in the 
transaction the match occurred and what data matched.  You can then review the 
full audit log data of the transaction to confirm if the match was correct or 

By the way - the OWASP CRS project site needs to have better information to 
address your questions.  We will update it soon.

Hope this info helps.

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090803/df150560/attachment.html 

More information about the Owasp-modsecurity-core-rule-set mailing list