This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode"
From OWASP
m (Sub-Project Infos: added "Noël Zindel" to "who", Open Tasks: added "Noël" to Task "stricter siblings") |
(Started paranoia mode candidate table, explained states in tables on this page) |
||
| Line 22: | Line 22: | ||
===Open Tasks=== | ===Open Tasks=== | ||
| + | |||
| + | Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below. | ||
{|- class="wikitable" | {|- class="wikitable" | ||
| Line 30: | Line 32: | ||
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1 | | Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1 | ||
| Spartan | | Spartan | ||
| − | | | + | | assigned |
|- | |- | ||
| Assemble list of disappeared rules, which should be brought back | | Assemble list of disappeared rules, which should be brought back | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|- | |- | ||
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode | | Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|- | |- | ||
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with<br />stricter siblings in paranoia mode<br />(same idea of the rule, but harder limit etc.) | | Assemble list of 3.0.0-rc1 rules, which could be accompanied with<br />stricter siblings in paranoia mode<br />(same idea of the rule, but harder limit etc.) | ||
| Noël | | Noël | ||
| − | | | + | | assigned |
|- | |- | ||
| Write new stricter siblings for existing rules | | Write new stricter siblings for existing rules | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|- | |- | ||
| Sort out mechanics of the paranoia mode | | Sort out mechanics of the paranoia mode | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|- | |- | ||
| Define exact syntax of paranoia mode setup | | Define exact syntax of paranoia mode setup | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|- | |- | ||
| Sort out name: Is "Paranoia Mode" really the right term? | | Sort out name: Is "Paranoia Mode" really the right term? | ||
| Christian | | Christian | ||
| − | | | + | | waiting |
|- | |- | ||
| Write pull request | | Write pull request | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|- | |- | ||
| Submit pull request | | Submit pull request | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|- | |- | ||
| Draw flowchart | | Draw flowchart | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|- | |- | ||
| Write documentation | | Write documentation | ||
| n.n. | | n.n. | ||
| − | | | + | | new |
|} | |} | ||
| Line 87: | Line 89: | ||
| | | | ||
| | | | ||
| + | |} | ||
| + | |||
| + | ==Rules== | ||
| + | |||
| + | ===Paranoia Mode Candidates=== | ||
| + | |||
| + | The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>) | ||
| + | A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]] | ||
| + | We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one. | ||
| + | |||
| + | Please set status as follows : ''candidate'', ''cloning-candidate'', ''unsure'', ''dropped''. | ||
| + | * 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting. | ||
| + | * If dropped, please provide reasoning in the remarks. | ||
| + | |||
| + | |||
| + | {|- class="wikitable" | ||
| + | |'''RuleID 2.2.x''' | ||
| + | |'''RuleID 3.0.0-rc1''' | ||
| + | | '''msg''' | ||
| + | | '''Status''' | ||
| + | | '''Remarks''' | ||
| + | |- | ||
| + | | 981172 | ||
| + | | gone | ||
| + | | Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded | ||
| + | | candidate | ||
| + | | | ||
|} | |} | ||
Revision as of 06:33, 9 January 2016
Abstract
This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.
FIXME: Detailed description
Back to the OWASP ModSecurity Core Rules Set.
Sub-Project Infos
- Status: active (January 2016)
- Schedule: Pull request in January 2016
- Who: Christian Folini (dune73), Noël Zindel (zino), FIXME
- Documentation: Here on the OWASP Wiki
- Discussion / Archive: [email protected] / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
- Github Link: FIXME
- Final Pull Request: FIXME
Tasks
Open Tasks
Please define state as follows: new, assigned, waiting, closed. When a task it is closed, it is moved to the seperate closed tasks table below.
| Task | Who | Status |
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1 | Spartan | assigned |
| Assemble list of disappeared rules, which should be brought back | n.n. | new |
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode | n.n. | new |
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.) |
Noël | assigned |
| Write new stricter siblings for existing rules | n.n. | new |
| Sort out mechanics of the paranoia mode | n.n. | new |
| Define exact syntax of paranoia mode setup | n.n. | new |
| Sort out name: Is "Paranoia Mode" really the right term? | Christian | waiting |
| Write pull request | n.n. | new |
| Submit pull request | n.n. | new |
| Draw flowchart | n.n. | new |
| Write documentation | n.n. | new |
Closed Tasks
| Task | Who | Status |
| none so far |
Rules
Paranoia Mode Candidates
The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>) A mapping table exists [IdNumbering.csv] We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.
Please set status as follows : candidate, cloning-candidate, unsure, dropped.
- 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
- If dropped, please provide reasoning in the remarks.
| RuleID 2.2.x | RuleID 3.0.0-rc1 | msg | Status | Remarks |
| 981172 | gone | Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded | candidate |
