[Owasp-modsecurity-core-rule-set] CRS 2.0.4 feedback

Ivan Ristic ivan.ristic at gmail.com
Mon Jan 11 17:50:12 EST 2010


On Mon, Jan 11, 2010 at 10:14 PM, Ryan Barnett <ryan.barnett at breach.com> wrote:
> On Monday 11 January 2010 04:44:10 pm Ivan Ristic wrote:
>> I investigated a couple of CRS false positives today, and I have the
>> following feedback for the group:
>>
>> - CRS generates great many messages, and it's very difficult to figure
>> out what is relevant and what isn't.
>>
> They are all relevant.

They may be, but my point is that I don't understand what purpose they
serve. Evaluating a false positive takes ages.

For example, your alert-substitute rules put messages into the data
fragment, which is the wrong place. It breaks the GUI tools (we don't
have many of them, but still).

>
>> The emulation of messages is a poor
>> substitute for the original messages and does not contain the original
>> information.
> It can include as much as you need.  See the phpids examples.

I am sorry, which phpids examples do you mean?


>> - The use of non-numerical rule IDs, which is against the
>> specification, makes exceptions impossible. I've reported this problem
>> as:
>>
>>   https://www.modsecurity.org/tracker/browse/MODSEC-114
>>   https://www.modsecurity.org/tracker/browse/CORERULES-28
>>
> Rule IDs are used for two reasons - exceptions and for identify which rule actually caused
> the alert.  When using them for exceptions with SecRuleRemoveById or the equivalent ctl
> action - it still works find using non-digit rule IDs.  The only issue is if you wanted to
> remove a range of rule IDs.

Yes, that too, but that was an obvious problem. If you try to use
SecRuleRemoveById with CRS, a single removal of a non-numerical ID
will remove all rules with non-numerical IDs.


> Another point - making rule exceptions more flexible was a driver for the new CRS and using
> TX variables.  The rule ID is not as critical for exceptions.

I do not agree with that. ModSecurity already has an exception system,
which users already know how to use, but the CRS breaks it (by using
non-numerical IDs). If you want to build a better exception system, go
ahead, but I think you should at least stay compatible with what's
already there. If you insist on having your own exception system,
however, please tell us how to use it! :)


> I was waiting for your OWASP CRS project review data in order to update the sites.  Is
> this it or are you sending something different?

I sent my review a month ago:

https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2009-December/000173.html

You responded to my email so you can't claim that you had not seen it :)


>  What do you say we take this offline and
> come up with a gameplan?

That's a good try, but enjoy being just a user :)

-- 
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]


More information about the Owasp-modsecurity-core-rule-set mailing list