[Owasp-modsecurity-core-rule-set] CRS 2.0.4 feedback

Ivan Ristic ivan.ristic at gmail.com
Mon Jan 11 16:44:10 EST 2010


I investigated a couple of CRS false positives today, and I have the
following feedback for the group:

- CRS generates great many messages, and it's very difficult to figure
out what is relevant and what isn't.

- Log suppression, used by CRS to hide the alerts initially, makes it
very difficult to understand what rules do. The crucial piece of
information (logdata) is missing. The emulation of messages is a poor
substitute for the original messages and does not contain the original
information. It also slows things down. I had to resort to running
replicas of original requests against a modified version of CRS with
nolog converted to log, in order to understand why certain rules
matched.

- The PHPIDS rules matched against some trivial stuff, for example "name=".

- The use of non-numerical rule IDs, which is against the
specification, makes exceptions impossible. I've reported this problem
as:

  https://www.modsecurity.org/tracker/browse/MODSEC-114
  https://www.modsecurity.org/tracker/browse/CORERULES-28

- Because I couldn't use exceptions, I had to comment some rules out,
but that's not easy because there is sometimes more than one rule with
the same ID. I've found that to be a tad confusing.

- Overall, it hasn't been a fun experience.

-- 
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]


More information about the Owasp-modsecurity-core-rule-set mailing list