mod_security 2.5 Rule Engine

W00LF · Apr 25, 2013

hello,
I have couple of questions:
1. how exactly the modsecurity work with the rules? does it read them by order of number from _crs_20 and until....? or there is other way?
2. does modsecurity work with black list or white list?
3. I read some where that there is negative and positive rules. what is the differences between them and what kind of rules are owasp rules?
thank you a lot! and please I need your help as soon as possible.
WOOLF.

Infopro · Apr 25, 2013

You might like to know about the documentation for mod_security here:
ModSecurity: Open Source Web Application Firewall - Documentation

W00LF · Apr 26, 2013

Infopro said:
You might like to know about the documentation for mod_security here:
ModSecurity: Open Source Web Application Firewall - Documentation

thank you!
I have anathor question?
I don't understand what is the Diffrent between False positive and False Negative...

Infopro · Apr 26, 2013

I don't understand what is the Diffrent between False positive and False Negative...

Not sure exactly what you mean. Can you explain it another way?

W00LF · Apr 26, 2013

Infopro said:
Not sure exactly what you mean. Can you explain it another way?

ModSecurity Advanced Topic of the Week: (Updated) Exception Handling - SpiderLabs Anterior

in this link there is topic of "False Positives In New Environments" and the talk about FALSE POSITIVE/NEGATIVE...
"False Positives happen with ModSecurity + CRS mainly as a by product of the fact that the rules are generic in nature. The plug-n-play nature of the CRS what makes it great, as you will get protection for just about any environment however there will be some level of FPs. This ends up being the old "80/20 rule" of security where you will instantly get coverage for about 80% of the problem. The issue then moves towards that remaining 20%. This is where the CRS runs into both false positives and false negatives as there is no way to know exactly what web application is going to be run behind it. That is why the CRS is geared towards blocking the known bad stuff and forcing some HTTP compliance. This catches the vast majority of attacks."

Infopro · Apr 26, 2013

That article covers the topic quite well I think. If you find something being blocked by mod_security that you feel is safe, and shouldn't be blocked, you might find this addon quite useful:
ConfigServer ModSecurity Control

Thread starter	Similar threads	Forum	Replies	Date
J	SOLVED mod_security rule not working	Security	5	Apr 8, 2019
D	Mod_security geoip rule doesn't work	Security	9	Feb 26, 2018
E	Let customers view and whitelist mod_security rules?	Security	2	Aug 26, 2017
	Mod_Security rule to mitigate constant GET and POST request attack	Security	6	Feb 25, 2017
	Mod_security rules to prevent spam registrations and comments on wordpress sites	Security	12	Feb 7, 2017

Search

Search

mod_security 2.5 Rule Engine

W00LF

Member

Infopro

Well-Known Member

W00LF

Member

Infopro

Well-Known Member

W00LF

Member

Infopro

Well-Known Member