mod_security 2.5 Rule Engine

[W00LF]

hello,
I have couple of questions:
1. how exactly the modsecurity work with the rules? does it read them by order of number from _crs_20 and until....? or there is other way?
2. does modsecurity work with black list or white list?
3. I read some where that there is negative and positive rules. what is the differences between them and what kind of rules are owasp rules?
thank you a lot! and please I need your help as soon as possible.
WOOLF.

 

[Infopro]

You might like to know about the documentation for mod_security here:
ModSecurity: Open Source Web Application Firewall - Documentation

 

[W00LF]

You might like to know about the documentation for mod_security here:
ModSecurity: Open Source Web Application Firewall - Documentation

thank you!
I have anathor question?
I don't understand what is the Diffrent between False positive and False Negative...

 

[Infopro]

I don't understand what is the Diffrent between False positive and False Negative...

Not sure exactly what you mean. Can you explain it another way?

 

[W00LF]

Not sure exactly what you mean. Can you explain it another way?

ModSecurity Advanced Topic of the Week: (Updated) Exception Handling - SpiderLabs Anterior

in this link there is topic of "False Positives In New Environments" and the talk about FALSE POSITIVE/NEGATIVE...
"False Positives happen with ModSecurity + CRS mainly as a by product of the fact that the rules are generic in nature. The plug-n-play nature of the CRS what makes it great, as you will get protection for just about any environment however there will be some level of FPs. This ends up being the old "80/20 rule" of security where you will instantly get coverage for about 80% of the problem. The issue then moves towards that remaining 20%. This is where the CRS runs into both false positives and false negatives as there is no way to know exactly what web application is going to be run behind it. That is why the CRS is geared towards blocking the known bad stuff and forcing some HTTP compliance. This catches the vast majority of attacks."

 

[Infopro]

That article covers the topic quite well I think. If you find something being blocked by mod_security that you feel is safe, and shouldn't be blocked, you might find this addon quite useful:
ConfigServer ModSecurity Control