![]() It is obvious, reducing the number of false alarms is the prerequisite for lowering the CRS anomaly threshold and this, in turn, is required in order to use ModSecurity to actually ward off attackers. What we're missing is a strategy for coping with false alarms on a scale and this tutorial will show you one. In the previous tutorial, we saw a number of approaches for suppressing individual false alarms with the help of rule exclusions. In some cases, namely at higher paranoia levels, there can be thousands of them. Why are we doing this?Ī fresh installation of the CRS will typically have some false alarms. We will take a vanilla installation of the OWASP ModSecurity Core Rule Set (CRS) troubled by a large number of false positives and tune away the unwelcome alarms, so we get a clearer view on the real attackers. Continued abuse of our services will cause your IP address to be blocked indefinitely.Table of Contents What are we doing? Why are we doing this? Requirements Step 1: Defining a Policy to Fight False Positives Step 2: Getting an Overview Step 3: The first batch of rule exclusions Step 4: Reducing the anomaly score threshold Step 5: The second batch of rule exclusions Step 6: The third batch of rule exclusions Step 7: The fourth batch of rule exclusions Step 8: Summarizing all rule exclusions Step 9 (Goodie): Getting a quicker overview References License / Copying / Further use What are we doing? Please fill out the CAPTCHA below and then click the button to indicate that you agree to these terms. If you wish to be unblocked, you must agree that you will take immediate steps to rectify this issue. If you do not understand what is causing this behavior, please contact us here. If you promise to stop (by clicking the Agree button below), we'll unblock your connection for now, but we will immediately re-block it if we detect additional bad behavior.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |