On 5/6/11 4:40 PM, "Brian Rectanus" <[email protected]> wrote:
>On Fri, May 6, 2011 at 7:54 AM, Ryan Barnett <[email protected]> >wrote: >> Greetings everyone, > >Hi Ryan. > >> I am sending this note to let you know that SpiderLabs is working on a >>number of rule updates for the upcoming release of CRS v2.2.0. Some of >>the big items are: >> >> Rule Documentation >> We have a template rule description page here - >>https://www.owasp.org/index.php/ModSecurity_CRS_Rule_Description_Template >>. We will continue work on new description pages for each rule, >>however, we need community help with this effort. Specifically, we have >>sections for documenting False Positives/False Negatives for each rule. >>If you are having any issues with CRS rules, please sign-up for the FP >>Reporting mail-list - >>https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-po >>sitives and send a note with the FP details. >> >> If you want to create a rule documentation page on the OWASP wiki site, >>simply copy the wiki html from the Description Template link above and >>then type in your browser the path to the new page like this - >>http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX where >>XXXXX is the Rule ID you are creating the page for. If that page >>doesn't exist yet, the OWASP wiki page will allow you to EDIT and create >>it. Then simply paste in the html from the Documentation Template page >>you fill in the data. Here is an example page - >>https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 >> >> Rule Tag Updates >> I have started to add in new rule tag actions which will help users to >>identify the current accuracy level of each rule. The purpose of this >>tag is to help the user to decide if this rules has a high FP rate or if >>it is a strong signature that they can be confident in applying blocking >>actions. The new tag has the following format - >> >> tag:'RULE_ACCURACY_LEVEL/N' >> >> Where N is a number between 1-5 with: >> 1 = Beta/Experimental rule or the rule has a high number of reported >>false positives (via the mail-list). >> 5 = Heavily tested rule with no false positives reported (via the >>mail-list). > >I think "accuracy" is different than what you have here. Also, I'd >consider a 0-9 scale - you do not need to use all numbers but it is >more consistent. Fair enough. The 0-5 scale was arbitrary anyways but a 10 point scale is fine with me. > >This is similar to what we are considering for a "maturity" meta tag >on rules. Just because a rule is new does not mean it may be FP >heavy. Perhaps two tags would fair better? > >maturity: how refined a rule is - low number meaning it is a new, >fairly untested rule >accuracy: how well a rule is at detecting what it is designed for - >low number meaning higher Fps Yeah good point. These items are open for discussion so if anyone has anything better, please speak up. I do like MATURITY and ACCURACY - so maybe - tag:'RULE_MATURITY/10' And tag:'RULE_ACCURACY/10' > >> >> Again, we need your help!!! SpiderLabs will provide the initial rule >>accuracy level tagging for the rules, however we need the community to >>report FP issues so that these rule tags may be adjusted. The advantage >>of this approach, is that with new ModSecurity v2.6.0, you will be able >>to systematically remove rules by using data within the TAG action. So, >>you could easily choose to only run Level 5 accuracy rules on your site. >> >> Regression Testing Suite >> As stated in a separate email thread I am currently working on >>updating our rules regression testing suite and we will be releasing it >>to the community soon. The idea is that the testing suite will have >>example request payloads that can be actively sent to your ModSecurity >>install so that can verify that the detection engine is working >>properly. I will complete the first few testing files and then release >>it to the public so that we can hopefully get some more help with >>developing tests. This will also allow end-users to develop their own >>tests for their own custom rules. This will help to verify that your >>ModSecurity/CRS installs are working correctly which is vitally >>important especially after any type of upgrade. > >This is great news! Are you going to utilize the existing regression >testing framework, or are you (have you) built another system for >this? It is the original one we had a Breach but we are updating it a bit. Thanks for the feedback Brian. Ryan > >> >> Please keep an eye out for email related to these topics. I will be >>sending emails related to each rule where we can provide a status on >>the items discussed. > >Looking forward to it. > >-B > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
