[Owasp-modsecurity-core-rule-set] Handling mod security as a firewall for all kind of web sites

Leos Rivas Manuel Manuel.LeosRivas at gemalto.com
Wed Mar 2 06:52:53 UTC 2016


I will recommend to
- use separate logs per website,
- group them by type and create a configurationfile for it
- use includes with all common rules to disable and include it on the website conf so you can change one file and impact the whole group
- have a super set of conf rules at server context level for all rule adjustments that apply to every website
- apply crs on vhosts basis
- start with a relaxed policy and work the conf to be more strict as you get to know better your traffic


Envoyé de mon Galaxy S5 4G+ Orange

-------- Original message --------
From: Chaim Sanders <CSanders at trustwave.com>
Date: 02/03/2016 02:36 (GMT+01:00)
To: Avi Fatal <avi.fatal at gmail.com>, owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] Handling mod security as a firewall for all kind of web sites

In general some of these problems may be due to very general issues present across a number of specific platforms. In general observing common vulnerabilities across a few of these should allow you to identify rules that are prone to false positives (which is the whole reasoning behind the paranoid mode) hopefully when this project is finished it will provide a bit of relief.  But for the mean time I recommend identifying the common false positives and possible relaxing them or turning those rules off even

From: <owasp-modsecurity-core-rule-set-bounces at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org>> on behalf of Avi Fatal <avi.fatal at gmail.com<mailto:avi.fatal at gmail.com>>
Date: Tuesday, March 1, 2016 at 2:06 PM
To: "owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>" <owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>>
Subject: [Owasp-modsecurity-core-rule-set] Handling mod security as a firewall for all kind of web sites

We are 200 of websites / webapps for our clients.
>From wordpress to .net apps, java and more.

We want to provide a united waf solution for all of them.
going to cloud will be very expensive.

I have built for this an Apache proxy with mod security and owasp rules. the mod security is not blocking, just logging.
I took 10 websites and and pass the traffic via this proxy.
after 5 minutes I opened the log and saw 150 different types of security issues.

Its more of a conceptual question...
How can I manage a solution for 200 of webapps? does it makes sense?
I can understand controlling on five websites, but 200 ? its sounds like 24 hours we need to go over rules and suspend them on every usecase....

Ill be glad to hear from people who has an experience with that.



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160302/311419fb/attachment-0001.html>

More information about the Owasp-modsecurity-core-rule-set mailing list