[Owasp-modsecurity-core-rule-set] Rules triggering False Positives frequently
christian.folini at netnea.com
Mon Jan 18 12:06:27 UTC 2016
On Mon, Jan 18, 2016 at 10:29:42AM +0100, theMiddle wrote:
> nice post! I completely agree about these following rules:
Thank you for the thumbs up. It's always nice to hear when
people agree with a point in a post.
> My users often disable these two rules. I think that a false
> positive occurs each time these rules match a sequence of the same
> char in the URL. For example /mypost/title-of-my-new-blogpost or
In fact it is the total number of occurrences of any combination
of special characters. Which is in fact a great indicator of
any type of evil intent. But it comes with a lot of false
> Probably this shouldn't happen with a rule that match a sequence of
> differents chars in the URL (/foo/bar-john at doe(bla)).
Actually, uuids in cookies
i.e. b079d69c-bddb-11e5-822b-9f71f5c3a1fe will really get your
In war you will generally find that the enemy has at any time
three courses of action open to him. Of those three, he will
invariably choose the fourth.
-- Helmuth Von Moltke
More information about the Owasp-modsecurity-core-rule-set