Hi Christian, Thank you for this.
The text before the switch says: # # -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] ----------------- # # Each detection rule uses the "block" action which will inherit the SecDefaultAction # specified below. Your settings here will determine which mode of operation you use. # # -- [[ Self-Contained Mode ]] -- # Rules inherit the "deny" disruptive action. The first rule that matches will block. # # -- [[ Collaborative Detection Mode ]] -- # This is a "delayed blocking" mode of operation where each matching rule will inherit # the "pass" action and will only contribute to anomaly scores. Transactional blocking # can be applied # # -- [[ Alert Logging Control ]] -- # You have three options - # # - To log to both the Apache error_log and ModSecurity audit_log file use: "log" # - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog" # - To log *only* to the Apache error_log file use: "log,noauditlog" # # Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecDefaultAction # And that is where I change deny to delayed blocking. Did I do wrong? So inbound I set to 1000 then Check the logs. What will I look at the logs to warrant an adjustment? Thank you for your patience guys. Kenneth On Wed, May 18, 2016 at 5:07 PM, Christian Folini < [email protected]> wrote: > Kenneth, > > On Wed, May 18, 2016 at 03:24:49PM +0800, T. Kenneth Lojo (IRRI) wrote: > > "I suggest you run in blocking mode with anomaly scoring on and > > a high anomaly limit (-> 1K or more)." > > > > Do I chance the inbound and outbound values to 1k+? > > The relevant one is inbound. It's very unusual to get outbound scores > higher then 10 or 20. > > For convenience, I usually configure the two in sync. Thus both to 1K to > start with. Then I tune, then I lower the limits. In multiple > iterations down to 10 or 5. > > > (deny to delayed blocking) > > 66 SecDefaultAction "phase:1,delayed blocking,log" > > 67 SecDefaultAction "phase:2,delayed blocking,log" > > What is delayed blocking? Looks like a misunderstanding. > I run with pass/pass and let the core rules do the blocking (in the > files mentioned by Noël). > > > and uncommented: > > > > 152 SecAction \ > > ... > > That's the one. > > > I think you have realised that there are multiple "schools" or > strategies to CRS deployments or tuning in ithe general sense. > Barry favors to start in detection mode, tune and then go to a > strict blocking mode. I am an advocate of starting in blocking mode > with anomaly scoring and a high anomaly limit, then work your way > down to a low limit. The final result will be almost the same. > As Barry tends to disable non-critical rules, you end up with blocking > on the critical ones. These are the ones which give you a score > of 5. I usually try and tune down to a limit of 5. So it's > really identical. It's just a different path to reach the same goal. > My key argument for my method is, that people never leave detection > mode because they fear the switch to blocking. If you start with > blocking (and a high limit), then every iteration lowering the limits > helps you to build up confidence in your system and there is no > final "switch from detection to blocking". > The example which contradicts my statement is Barry who actually > switches to blocking in the end. I think this is rare. > > Ahoj, > > Christian > > > > > > Ahoj, > > Christian > > > -- > Happiness exists on earth, and it is won through prudent > exercise of reason, knowledge of the harmony of the universe, and > constant practice of generosity. > -- José Martí > -- *T. Kenneth S. Lojo* Specialist-Online Media Design [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 +63 928 209 1191 (mobile) [email protected] <[email protected]> www.irri.org [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] <http://twitter.com/RiceResearch> [image: Flickr] <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] <http://www.scribd.com/IRRI_resources> [image: Linkedin] <http://www.linkedin.com/company/international-rice-research-institute> [image: Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] <https://plus.google.com/103972671963502739315> The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://www.cgiar.org/> -- The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://cgiar.org> consortium
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
