On Fri, May 6, 2011 at 7:54 AM, Ryan Barnett <[email protected]> wrote: > Greetings everyone,
Hi Ryan. > I am sending this note to let you know that SpiderLabs is working on a number > of rule updates for the upcoming release of CRS v2.2.0. Some of the big > items are: > > Rule Documentation > We have a template rule description page here - > https://www.owasp.org/index.php/ModSecurity_CRS_Rule_Description_Template. > We will continue work on new description pages for each rule, however, we > need community help with this effort. Specifically, we have sections for > documenting False Positives/False Negatives for each rule. If you are having > any issues with CRS rules, please sign-up for the FP Reporting mail-list - > https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives > and send a note with the FP details. > > If you want to create a rule documentation page on the OWASP wiki site, > simply copy the wiki html from the Description Template link above and then > type in your browser the path to the new page like this - > http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX where XXXXX > is the Rule ID you are creating the page for. If that page doesn't exist > yet, the OWASP wiki page will allow you to EDIT and create it. Then simply > paste in the html from the Documentation Template page you fill in the data. > Here is an example page - > https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 > > Rule Tag Updates > I have started to add in new rule tag actions which will help users to > identify the current accuracy level of each rule. The purpose of this tag is > to help the user to decide if this rules has a high FP rate or if it is a > strong signature that they can be confident in applying blocking actions. > The new tag has the following format - > > tag:'RULE_ACCURACY_LEVEL/N' > > Where N is a number between 1-5 with: > 1 = Beta/Experimental rule or the rule has a high number of reported false > positives (via the mail-list). > 5 = Heavily tested rule with no false positives reported (via the mail-list). I think "accuracy" is different than what you have here. Also, I'd consider a 0-9 scale - you do not need to use all numbers but it is more consistent. This is similar to what we are considering for a "maturity" meta tag on rules. Just because a rule is new does not mean it may be FP heavy. Perhaps two tags would fair better? maturity: how refined a rule is - low number meaning it is a new, fairly untested rule accuracy: how well a rule is at detecting what it is designed for - low number meaning higher FPs > > Again, we need your help!!! SpiderLabs will provide the initial rule > accuracy level tagging for the rules, however we need the community to report > FP issues so that these rule tags may be adjusted. The advantage of this > approach, is that with new ModSecurity v2.6.0, you will be able to > systematically remove rules by using data within the TAG action. So, you > could easily choose to only run Level 5 accuracy rules on your site. > > Regression Testing Suite > As stated in a separate email thread – I am currently working on updating our > rules regression testing suite and we will be releasing it to the community > soon. The idea is that the testing suite will have example request payloads > that can be actively sent to your ModSecurity install so that can verify that > the detection engine is working properly. I will complete the first few > testing files and then release it to the public so that we can hopefully get > some more help with developing tests. This will also allow end-users to > develop their own tests for their own custom rules. This will help to verify > that your ModSecurity/CRS installs are working correctly which is vitally > important especially after any type of upgrade. This is great news! Are you going to utilize the existing regression testing framework, or are you (have you) built another system for this? > > Please keep an eye out for email related to these topics. I will be sending > emails – related to each rule where we can provide a status on the items > discussed. Looking forward to it. -B _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
