[Owasp-modsecurity-core-rule-set] (2.0.7) missing modsecurity_crs_49_enforcement.conf
Achim Hoffmann
webappsec at securenet.de
Thu Jul 8 08:50:29 EDT 2010
Hi Ryan,
thanks for your feedback.
Some more comments please see inline below.
Achim
On Thu, 8 Jul 2010, Ryan Barnett wrote:
!! http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Documentat
!! ion
!! The CRS rules themselves are configured with the pass action, which allows all the rules to be
!! processed and for the proposed anomaly scoring/collaborative detection concept to work. The
!! inbound/outbound anomaly score levels may be set in the modsecurity_crs_10_config.conf file.
!! These scores will be evaluated in the modsecurity_crs_49_inbound_blocking.conf and
!! modsecurity_crs_59_outbound_blocking.conf files.
I fully understand the concept how the CRS will behave (at least I guess to do
so :)
!!
!! We got feedback that the name modsecurity_crs_49_enforcement.conf was not intuitive enough for
!! people to know what the purpose of the file was so we updated the name to
!! modsecurity_crs_49_inbound_blocking.conf. We also added the
!! modsecurity_crs_59_outbound_blocking.conf file to allow for proper blocking at the end of
!! phase:4 rules.
My question -better: wondering- was that the enforcment file is missing
*and* the 2 new files do not contain the rules from the older enforcment file.
Said this, I agree that the scoring should be evaluated at the end in a
single (or two) file.
In practice this adjustment is highly user-definable like the scoring itself
and should be done in a file which will not be overwritten by future updates
of the CRS itself. Hence I'd suggest that these rules are written in a new
file *not located* in the base_rules/ directory.
Does this make sense?
IMHO modsecurity_crs_49_inbound_blocking.conf and
modsecurity_crs_59_outbound_blocking.conf should not block, but may be used as
example.
!!
!! -Ryan
!!
!!
!! On Thu, Jul 8, 2010 at 3:39 AM, Achim Hoffmann <webappsec at securenet.de> wrote:
!!
!! is there any reason why modsecurity_crs_49_enforcement.conf is missing
!! in CRS 2.0.7?
!!
!! Please apologice if I missed some previous posts about that.
!!
!! Achim
!!
!! _______________________________________________
!! Owasp-modsecurity-core-rule-set mailing list
!! Owasp-modsecurity-core-rule-set at lists.owasp.org
!! https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
!!
!!
!!
!!
!! --
!! Ryan C. Barnett
!! SANS Certified Instructor
!! WASC Web Hacking Incident Database Project Leader
!! WASC Distributed Open Proxy Honeypot Project Leader
!! OWASP ModSecurity Core Rule Set Project Leader
!! http://tacticalwebappsec.blogspot.com/
!!
!!
!!
More information about the Owasp-modsecurity-core-rule-set
mailing list