[Owasp-modsecurity-core-rule-set] Rules triggering False Positives frequently

Walter Hop modsec at spam.lifeforms.nl
Sat Jan 30 16:13:06 UTC 2016

Hi Christian,

Last week I have taken a look at CRS v3 for the first time. I like the improved organization. I have also been looking at my audit logs and trying to sort out various categories of false positives and relate it to their 'fate' in CRS v3. To make the problem somewhat tractable I've focused on the rules that give me really a lot of FP. As I understand it, we have a few major categories of rules to consider, so I've sorted my FP into the following.

1) Rules which are currently gone in v3.0.0-rc1 and are not so interesting to bring back in paranoid mode due to high FP and low perceived utility. I have added my remarks about FP occurence in this table: https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode#Base_rules

2) Rules which are currently included in v3.0.0-rc1 branch (normal mode), but might be candidates to move from normal to paranoid mode if their FP rate does not justify their benefits. This possibly decreases security for normal users, so the bar should be rather high. I’ve added only three candidates that you and Franziska didn’t have already. I have added my remarks about these rules in this table: https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode#Paranoia_Mode_Candidates

3) Rules from subdirectories in v2 which are no longer in v3.0.0-rc1, but we want to bring them back in paranoid mode because we think they do have worth. Bringing these rules back does not affect security for normal mode users. (experimental_rules, optional_rules, slr_rules)

I have looked at these, but I would recommend that more people look at them too. Most of them are uninteresting to me, so it's fine that they are removed. The slr_rules look quite outdated in particular. It's worth looking through experimental_rules and optional_rules though. I have added some possible candidates for us here, although I have no experience with them in production, so maybe Chaim can chime in if there are strong reasons for keeping them removed: https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode#Optional.2C_experimental.2C_slr_rules

Finally, I noticed that some candidates might be considered paranoid but are currently already in the normal mode at notice_anomaly_score level (for example, User-Agent, Accept, Host header existence checks). These rules do not block in isolation, so we should keep in mind that the possible negative impact of FP on them is limited. Maybe it would be a useful task to add the scoring level as a column in the wiki.

In fact, we might even consider that any paranoid rules are possibly worth keeping in the 'normal mode' as lower-scoring rules - and just have paranoid mode bump up their score level, e.g. from 2 to 5. After all, if a normal user would consider the occurrence of 3 harmless protocol violations as a valid blocking heuristic, why not the occurrence of 3 paranoid rules? This last situation might be probably more predictive of an attack.


Walter Hop | PGP key: https://lifeforms.nl/pgp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160130/1fe90dab/attachment.html>

More information about the Owasp-modsecurity-core-rule-set mailing list