[Owasp-modsecurity-core-rule-set] CRS 2.0.4 feedback
ivan.ristic at gmail.com
Mon Jan 11 17:50:12 EST 2010
On Mon, Jan 11, 2010 at 10:14 PM, Ryan Barnett <ryan.barnett at breach.com> wrote:
> On Monday 11 January 2010 04:44:10 pm Ivan Ristic wrote:
>> I investigated a couple of CRS false positives today, and I have the
>> following feedback for the group:
>> - CRS generates great many messages, and it's very difficult to figure
>> out what is relevant and what isn't.
> They are all relevant.
They may be, but my point is that I don't understand what purpose they
serve. Evaluating a false positive takes ages.
For example, your alert-substitute rules put messages into the data
fragment, which is the wrong place. It breaks the GUI tools (we don't
have many of them, but still).
>> The emulation of messages is a poor
>> substitute for the original messages and does not contain the original
> It can include as much as you need. See the phpids examples.
I am sorry, which phpids examples do you mean?
>> - The use of non-numerical rule IDs, which is against the
>> specification, makes exceptions impossible. I've reported this problem
> Rule IDs are used for two reasons - exceptions and for identify which rule actually caused
> the alert. When using them for exceptions with SecRuleRemoveById or the equivalent ctl
> action - it still works find using non-digit rule IDs. The only issue is if you wanted to
> remove a range of rule IDs.
Yes, that too, but that was an obvious problem. If you try to use
SecRuleRemoveById with CRS, a single removal of a non-numerical ID
will remove all rules with non-numerical IDs.
> Another point - making rule exceptions more flexible was a driver for the new CRS and using
> TX variables. The rule ID is not as critical for exceptions.
I do not agree with that. ModSecurity already has an exception system,
which users already know how to use, but the CRS breaks it (by using
non-numerical IDs). If you want to build a better exception system, go
ahead, but I think you should at least stay compatible with what's
already there. If you insist on having your own exception system,
however, please tell us how to use it! :)
> I was waiting for your OWASP CRS project review data in order to update the sites. Is
> this it or are you sending something different?
I sent my review a month ago:
You responded to my email so you can't claim that you had not seen it :)
> What do you say we take this offline and
> come up with a gameplan?
That's a good try, but enjoy being just a user :)
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]
More information about the Owasp-modsecurity-core-rule-set