On Wed, Aug 03, 2016 at 06:58:26PM -0500, William A Rowe Jr wrote: > > I see a lot of value in logging when not applying the strict parsing, > > so you can passively assess your traffic for a day/week/month. > > That requires additional CPU, and significantly more code complexity. > In fact, I wonder whether such 'logging-only' behavior shouldn't simply > be a no-choice default? I also wonder if those tools or others such as > mod_security won't already provide such an option and we can wash > our hands of this 'extra effort'?
ModSecurity Core Rules committer here. As you know it's all in the rules with ModSecurity and the OWASP ModSecurity Core Rules (CRS) are the most widespread ruleset on the net. We block per default, but all the checks can run log-only. They are listed in these rulefiles: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/rules/REQUEST-911-METHOD-ENFORCEMENT.conf https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/rules/REQUEST-921-PROTOCOL-ATTACK.conf The default policy definitions: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/modsecurity_crs_10_setup.conf.example (Links are for the upcoming major release 3.0, RC1 will be out within days now). Overall, I think the rules are not overly aggressive. Apache has been liberal so far and we try to avoid too many false positives due to crazy clients and bad implementations. Missing Accept headers, silly Range headers and numerical Host headers as frequent source of false positives spring to mind. Also, I think the coverage is not very systematic. Joining forces and providing a systematic coverage for all aspects of RFC 2068 for CRS 3.1 would be very interesting for our project. If it would simplify the httpd code base to refer users to ModSecurity and CRS, the CRS could profit a lot from the endorsement (and the httpd-dev experience brought to our rules resulting in a higher security level overall). A possible issue is the fact that ModSecurity runs fairly late in the lifecycle. In fact, the default hook for the first ModSecurity rule phase has been shifted backwards a few years ago. I take it a httpd implementation of protocol enforcement rules would run immediately after receiving the request line and then as the headers come in. ModSecurity would definitely run later. However, there have been discussions to introduce additional rule phase(s) into the ModSecurity engine / module in the past and if there is a need from the Apache project, then the development might be open in this regard (but it would certainly take quite a while to get this out the door). Cheers, Christian Folini -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini
