mod_security 2.5 Rule Engine

W00LF

Member
Apr 19, 2013
10
0
1
cPanel Access Level
Website Owner
hello,
I have couple of questions:
1. how exactly the modsecurity work with the rules? does it read them by order of number from _crs_20 and until....? or there is other way?
2. does modsecurity work with black list or white list?
3. I read some where that there is negative and positive rules. what is the differences between them and what kind of rules are owasp rules?
thank you a lot! and please I need your help as soon as possible.
WOOLF.
 

W00LF

Member
Apr 19, 2013
10
0
1
cPanel Access Level
Website Owner
Not sure exactly what you mean. Can you explain it another way?
ModSecurity Advanced Topic of the Week: (Updated) Exception Handling - SpiderLabs Anterior

in this link there is topic of "False Positives In New Environments" and the talk about FALSE POSITIVE/NEGATIVE...
"False Positives happen with ModSecurity + CRS mainly as a by product of the fact that the rules are generic in nature. The plug-n-play nature of the CRS what makes it great, as you will get protection for just about any environment however there will be some level of FPs. This ends up being the old "80/20 rule" of security where you will instantly get coverage for about 80% of the problem. The issue then moves towards that remaining 20%. This is where the CRS runs into both false positives and false negatives as there is no way to know exactly what web application is going to be run behind it. That is why the CRS is geared towards blocking the known bad stuff and forcing some HTTP compliance. This catches the vast majority of attacks."