Last OWASP rules are reliable?

[darwin7]

Good morning

I was planning to enable OWASP ruleset for ModSecurity and I searched around some information.

Then, I found some worrying complaints (for example here OWASP Cpanel Rules - Experience) and I'm reviewing my plans.

Since I read somewhere that OWASP rules have been recently updated, I would like to ask you if you are using OWASP/ModSecurity rules and why they are suggested or not suggested.

Thank you!
/cq

 

[rpvw]

Hi darwin7.

I have used the OWASP ModSecurity Core Rule Set V3.0 since cPanel made them available. With the exception of having to add one rule that I detailed in OWASP ModSecurity Core Rule Set V3.0 whm-server-status I found that ModSecurity worked just fine.

I would recommend that you supplement the ModSec with the free ConfigServer ModSecurity Control (cmc)
It will enable you to fine-tune your rules, and what accounts / directories are protected or ignored.

 

[darwin7]

I have used the OWASP ModSecurity Core Rule Set V3.0 since cPanel made them available. With the exception of having to add one rule that I detailed in OWASP ModSecurity Core Rule Set V3.0 whm-server-status I found that ModSecurity worked just fine.

Hi rpvw

thank you for replying

Just a question, please: does you server manage some WP or Joomla websites?

Thank you!

 

[rpvw]

Yes I have both WP and Joomla sites. Some site owners find they sometimes need to switch off ModSec in their cPanels for heavy admin editing sessions - but I have had no complaints from website owners that their sites are having any issues serving their customers.

Curiously, I made considerable effort to try and track down if any particular plugin or extension was problematic - with absolutely no consistent nor quantifiable results. The website owners seem happy enough to pop into their cPanel and switch off the ModSec for the duration of an admin editing session if they find they are getting unexpected events.

My website owners (all companies) respect the increased security that ModSec offers them, and value that over the inconvenience of having to occasionally disable it and then re-enable it in cPanel.

If you are able to quantify a rule that is causing your website operator issues, you can easily use the ConfigServer ModSecurity Control (cmc) to disable that rule, either globally, or on a per domain basis.

 

[darwin7]

Hi rpvw

thank you for the explanation.
Yes, I use cmc regularly.

I only had doubts about any false positives of OWASP, because I read lot of complaints.

I will try to enable it.

Thank you!

 

[rpvw]

As with many things in life, the universe and web hosting ....... one size often does NOT fit all !

Your particular customers may use WP or Joomla extensions or configurations in a way that trigger false positives in the OWASP ModSecurity Core Rule Set V3.0 , but the only way you will ever find out, is if you enable it and then, unfortunately, spend some considerable time initially monitoring and analysing the results.

You can always take the easy way out and just enable it, and deal with any screaming clients on a case by case basis - or even just tell them to switch it off if they don't like it.

 

[darwin7]

Dear rpvw,

Your particular customers may use WP or Joomla extensions or configurations in a way that trigger false positives in the OWASP ModSecurity Core Rule Set V3.0 , but the only way you will ever find out, is if you enable it and then, unfortunately, spend some considerable time initially monitoring and analysing the results.

Yes, are there so many plugin around that the only way is check one by one for every acount.

You can always take the easy way out and just enable it, and deal with any screaming clients on a case by case basis - or even just tell them to switch it off if they don't like it.

Unfortunately, if I'm not wrong, from cPanel users can only enable/disable whole ModSecurity rather than a single ruleset. However, it's useful.

Thank you for your valuable help!

 

[cPanelMichael]

Unfortunately, if I'm not wrong, from cPanel users can only enable/disable whole ModSecurity rather than a single ruleset. However, it's useful.

Hello,

That's correct. I encourage you to vote and add feedback to the following feature requests if you'd like to see support for that added to the product:

Modsecurity tools: Ability to ignore specific rule ID's per user account
Configure ModSecurity Rules per user account and a way to allow users to see its ModSecurity logs

Thanks!

 

[darwin7]

That's correct. I encourage you to vote and add feedback to the following feature requests if you'd like to see support for that added to the product:

Hello cPanelMichael

this is great! Thank you

Regards,
/cq

 

[thanasis]

Hi rpvw

thank you for the explanation.
Yes, I use cmc regularly.

I only had doubts about any false positives of OWASP, because I read lot of complaints.

I will try to enable it.

Thank you!

Hello darwin7,
did you enable OWASP?
did you have any problems with WP , Joomla , Opencart ?

 

[darwin7]

Hello darwin7,
did you enable OWASP?
did you have any problems with WP , Joomla , Opencart ?

Hello
I enabled it on a test server with few WP and Joomla installations and up to dare I had no issues!
Thanks