[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] Paranoia level
From: Blason R <blason16 () gmail ! com>
Date: 2021-03-10 9:52:55
Message-ID: CAPPXLT9zyLsTE0h16bnDcNxU8cFb=sJcBF689zXPNTvStk82rQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks for heads up - but I am still confused and would take this up with
offline.
Though this is not the correct forum I might not spam this list.
On Wed, Mar 10, 2021 at 12:46 PM Christian Folini <
christian.folini@netnea.com> wrote:
> Hey Blason,
>
> On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote:
> > I am really looking at everywhere but unable to find the exact
> information.
> > I am struggling to find how do I increase Paranoia level gradually?
> > I really dont see settings in configuration or might have overlooked? but
> > can someone can help me understanding the procedure?
>
> You have probably overlooked the explanation it in crs-setup.conf.
>
> There are two values involved:
>
> - tx.paranoia_level
> This is the PL that we are going to block in. We thought about renaming
> this to tx.blocking_paranoia_level, but then we thought it would have
> been too cumbersome on the users.
> - tx.executing_paranoia_level
> This is the PL of the rules that we are going to execute. It is greater
> or equal to tx.paranoia_level.
>
> So with these two settings, you can block on PL1, but execute PL2, tune
> away
> the false positives of PL2 and then raise the blocking PL to 2 as well.
> And then to the next step.
>
> The advantage of this process is that without the executing PL setting, you
> would dive into a higher PL without knowing the new false positives in
> advance and you would probably have to raise the anomaly threshold for
> a certain transition period, thus lowering your defenses. The introduction
> of the execution paranoia level allows you to keep the defenses up.
>
> Cheers,
>
> Christian
>
>
> --
> Seek simplicity, and distrust it.
> -- Alfred North Whitehead
>
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Thanks for heads up - but I am still confused and would take this \
up with offline.</div><div>Though this is not the correct forum I might not spam this \
list.<br></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, Mar 10, 2021 at 12:46 PM Christian Folini <<a \
href="mailto:christian.folini@netnea.com">christian.folini@netnea.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hey Blason,<br> <br>
On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote:<br>
> I am really looking at everywhere but unable to find the exact information.<br>
> I am struggling to find how do I increase Paranoia level gradually?<br>
> I really dont see settings in configuration or might have overlooked? but<br>
> can someone can help me understanding the procedure?<br>
<br>
You have probably overlooked the explanation it in crs-setup.conf.<br>
<br>
There are two values involved:<br>
<br>
- tx.paranoia_level<br>
This is the PL that we are going to block in. We thought about renaming<br>
this to tx.blocking_paranoia_level, but then we thought it would have<br>
been too cumbersome on the users.<br>
- tx.executing_paranoia_level<br>
This is the PL of the rules that we are going to execute. It is greater<br>
or equal to tx.paranoia_level.<br>
<br>
So with these two settings, you can block on PL1, but execute PL2, tune away<br>
the false positives of PL2 and then raise the blocking PL to 2 as well.<br>
And then to the next step.<br>
<br>
The advantage of this process is that without the executing PL setting, you<br>
would dive into a higher PL without knowing the new false positives in<br>
advance and you would probably have to raise the anomaly threshold for<br>
a certain transition period, thus lowering your defenses. The introduction<br>
of the execution paranoia level allows you to keep the defenses up.<br>
<br>
Cheers,<br>
<br>
Christian<br>
<br>
<br>
-- <br>
Seek simplicity, and distrust it.<br>
-- Alfred North Whitehead<br>
<br>
<br>
_______________________________________________<br>
mod-security-users mailing list<br>
<a href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a><br>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:<br>
<a href="http://www.modsecurity.org/projects/commercial/rules/" rel="noreferrer" \
target="_blank">http://www.modsecurity.org/projects/commercial/rules/</a><br> <a \
href="http://www.modsecurity.org/projects/commercial/support/" rel="noreferrer" \
target="_blank">http://www.modsecurity.org/projects/commercial/support/</a><br> \
</blockquote></div>
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic