Discussion:
[Owasp-modsecurity-core-rule-set] What is the right process of dealing with the false postivies
Georgi Georgiev
2017-08-14 12:29:39 UTC
Permalink
Hello,
I am deploying mod security with nginx in shared hosting environment and most of the websites are Wordpress, Joomla and drupal. I don’t want to rewrite all the rules of owasp to minimize the false positives. Also, I searched for specific for Wordpress or Joomla ruleset but couldn’t find such thing (it would be very resourceful to research for every Wordpress and Joomla hack, even the most famouse one and to write rules about it, also to read how to write rules :)). Even, if I put mod security initially in a mode that does not block , only to log it would be very hard to see very queer if it’s false positive or whether it come from evil sources.

I read that right practice is to change the score of the anomaly but didn’t understand it at all.

So, I would like to ask you how you deal with this? I know that false positives will be there all the time, but how you minimize them? Write your own ruleset? Is there any paid ruleset that you can recommend (it think that I found only one paid and many people cry from it). Just I want to explain me the process you follow with the rules :)

Thank you in advance!
Christian Folini
2017-08-15 06:52:50 UTC
Permalink
Hello Georgi,

CRS3 comes with default rule exclusions for WP and Drupal that solve
many of the base installations FPs. Collaborating with the project on
a set of Joomla rule exclusions would be most helpful.

Starting with a higher anomaly threshold while you weed out the false
positives is a method that I advocate in my documentation.

Making sure that you do not base your tuning efforts on attack traffic
is an obvious problems. There are multiple approaches to this, and none
of them is hard science. I usually try to start off with tuning based on
known IP ranges.

This is all discussed in great detail in the series of ModSecurity
tutorials at https://www.netnea.com/cms/apache-tutorials/

Besides, I am also running two public ModSec courses in October.

Good luck!

Christian
Post by Georgi Georgiev
Hello,
I am deploying mod security with nginx in shared hosting environment and most of the websites are Wordpress, Joomla and drupal. I don’t want to rewrite all the rules of owasp to minimize the false positives. Also, I searched for specific for Wordpress or Joomla ruleset but couldn’t find such thing (it would be very resourceful to research for every Wordpress and Joomla hack, even the most famouse one and to write rules about it, also to read how to write rules :)). Even, if I put mod security initially in a mode that does not block , only to log it would be very hard to see very queer if it’s false positive or whether it come from evil sources.
I read that right practice is to change the score of the anomaly but didn’t understand it at all.
So, I would like to ask you how you deal with this? I know that false positives will be there all the time, but how you minimize them? Write your own ruleset? Is there any paid ruleset that you can recommend (it think that I found only one paid and many people cry from it). Just I want to explain me the process you follow with the rules :)
Thank you in advance!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:***@netnea.com
twitter: @ChrFolini
Christian Folini
2017-08-15 07:39:06 UTC
Permalink
Hey, hey,
Thank you about your reply. I know about the exclusion, but I don’t
think this is the perfect solution, because if I exclude all the false
positive rules there will be 2-3 maybe working rules at all :)
That is not greatly exaggerated. We have about 150 rules in the default
install. Multiply this with the application's parameter. And then look
at the few dozens of rule/parameter exclusions we provide you with.
It's the minimal set of bricks broken out of the defense wall.
Maybe they should be tunned?
Or WordPress / Drupal could be fixed to make sure they do not submit any
suspicious payloads. :)
What is going on when the anomaly score is
higher - this I couldn’t understand - users are not blocked or what?
The anomaly score is linked to an individual request.
The anomaly threshold is the anomaly limit where you start to block
requests.

If the threshold is at 25 and a request sets of 4 critical rules, you
get 4 error entries, a score of 20 and the request passes.

Got it?

If it is still not clear, could you read the explanations in
crs-config.conf again. If you are unable to understand that, please
point it out exactly for this would be a sign or documentation is not
good enough.

Ahoj,

Christian
If I understand right I can start with high anomaly score for all rule
with equal score until I tune them perfectly.
In the nginx I have ratelimits and I prefer to start with most common
Wordpress / Joomla hacks rule that can stop some part of the hacks,
because this is the biggest problem
Best regards, Georgi Georgiev .
On Aug 15, 2017, at 9:52 AM, Christian Folini
Hello Georgi,
CRS3 comes with default rule exclusions for WP and Drupal that solve
many of the base installations FPs. Collaborating with the project
on a set of Joomla rule exclusions would be most helpful.
Starting with a higher anomaly threshold while you weed out the
false positives is a method that I advocate in my documentation.
Making sure that you do not base your tuning efforts on attack
traffic is an obvious problems. There are multiple approaches to
this, and none of them is hard science. I usually try to start off
with tuning based on known IP ranges.
This is all discussed in great detail in the series of ModSecurity
tutorials at https://www.netnea.com/cms/apache-tutorials/
Besides, I am also running two public ModSec courses in October.
Good luck!
Christian
Hello, I am deploying mod security with nginx in shared hosting
environment and most of the websites are Wordpress, Joomla and
drupal. I don’t want to rewrite all the rules of owasp to minimize
the false positives. Also, I searched for specific for Wordpress or
Joomla ruleset but couldn’t find such thing (it would be very
resourceful to research for every Wordpress and Joomla hack, even
the most famouse one and to write rules about it, also to read how
to write rules :)). Even, if I put mod security initially in a mode
that does not block , only to log it would be very hard to see very
queer if it’s false positive or whether it come from evil sources.
I read that right practice is to change the score of the anomaly
but didn’t understand it at all.
So, I would like to ask you how you deal with this? I know that
false positives will be there all the time, but how you minimize
them? Write your own ruleset? Is there any paid ruleset that you
can recommend (it think that I found only one paid and many people
cry from it). Just I want to explain me the process you follow with
the rules :)
Thank you in advance!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
-- https://www.feistyduck.com/books/modsecurity-handbook/
--
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:***@netnea.com
twitter: @ChrFolini
Georgi Georgiev
2017-08-15 12:42:08 UTC
Permalink
Thank you about your reply again, it was useful. First of all I would like to apologize for the stupid for you questions. Currently I see that I have the following in the config which means from what I read that I am not in anomaly mode, but in traditional:

SecDefaultAction "log,deny,phase:1"

So, by your recommendation I understand that I should remove this lines to start using anomaly mode. Then, on every rule I can/ should add with setvar:tx.anomaly_score=5(for example) so I can control it’s score?

Also to decrease the false positives as a second step from the setup should I increase the threshold value here - or I am wrong?

# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=5"
Post by Christian Folini
Hello Georgi,
CRS3 comes with default rule exclusions for WP and Drupal that solve
many of the base installations FPs. Collaborating with the project on
a set of Joomla rule exclusions would be most helpful.
Starting with a higher anomaly threshold while you weed out the false
positives is a method that I advocate in my documentation.
Making sure that you do not base your tuning efforts on attack traffic
is an obvious problems. There are multiple approaches to this, and none
of them is hard science. I usually try to start off with tuning based on
known IP ranges.
This is all discussed in great detail in the series of ModSecurity
tutorials at https://www.netnea.com/cms/apache-tutorials/
Besides, I am also running two public ModSec courses in October.
Good luck!
Christian
Post by Georgi Georgiev
Hello,
I am deploying mod security with nginx in shared hosting environment and most of the websites are Wordpress, Joomla and drupal. I don’t want to rewrite all the rules of owasp to minimize the false positives. Also, I searched for specific for Wordpress or Joomla ruleset but couldn’t find such thing (it would be very resourceful to research for every Wordpress and Joomla hack, even the most famouse one and to write rules about it, also to read how to write rules :)). Even, if I put mod security initially in a mode that does not block , only to log it would be very hard to see very queer if it’s false positive or whether it come from evil sources.
I read that right practice is to change the score of the anomaly but didn’t understand it at all.
So, I would like to ask you how you deal with this? I know that false positives will be there all the time, but how you minimize them? Write your own ruleset? Is there any paid ruleset that you can recommend (it think that I found only one paid and many people cry from it). Just I want to explain me the process you follow with the rules :)
Thank you in advance!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
https://www.feistyduck.com/books/modsecurity-handbook/
Christian Folini
2017-08-15 12:55:27 UTC
Permalink
Georgi,

Yes, this is all correct.

Glad to help (just not always with enough time at my hands...)

Cheers,

Christian
Post by Georgi Georgiev
SecDefaultAction "log,deny,phase:1"
So, by your recommendation I understand that I should remove this lines to start using anomaly mode. Then, on every rule I can/ should add with setvar:tx.anomaly_score=5(for example) so I can control it’s score?
Also to decrease the false positives as a second step from the setup should I increase the threshold value here - or I am wrong?
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=5"
Post by Christian Folini
Hello Georgi,
CRS3 comes with default rule exclusions for WP and Drupal that solve
many of the base installations FPs. Collaborating with the project on
a set of Joomla rule exclusions would be most helpful.
Starting with a higher anomaly threshold while you weed out the false
positives is a method that I advocate in my documentation.
Making sure that you do not base your tuning efforts on attack traffic
is an obvious problems. There are multiple approaches to this, and none
of them is hard science. I usually try to start off with tuning based on
known IP ranges.
This is all discussed in great detail in the series of ModSecurity
tutorials at https://www.netnea.com/cms/apache-tutorials/
Besides, I am also running two public ModSec courses in October.
Good luck!
Christian
Post by Georgi Georgiev
Hello,
I am deploying mod security with nginx in shared hosting environment and most of the websites are Wordpress, Joomla and drupal. I don’t want to rewrite all the rules of owasp to minimize the false positives. Also, I searched for specific for Wordpress or Joomla ruleset but couldn’t find such thing (it would be very resourceful to research for every Wordpress and Joomla hack, even the most famouse one and to write rules about it, also to read how to write rules :)). Even, if I put mod security initially in a mode that does not block , only to log it would be very hard to see very queer if it’s false positive or whether it come from evil sources.
I read that right practice is to change the score of the anomaly but didn’t understand it at all.
So, I would like to ask you how you deal with this? I know that false positives will be there all the time, but how you minimize them? Write your own ruleset? Is there any paid ruleset that you can recommend (it think that I found only one paid and many people cry from it). Just I want to explain me the process you follow with the rules :)
Thank you in advance!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
https://www.feistyduck.com/books/modsecurity-handbook/
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:***@netnea.com
twitter: @ChrFolini
Georgi Georgiev
2017-08-15 15:10:29 UTC
Permalink
Ok, I removed the line SecDefaultAction "log,deny,phase:1” so now I am in anomaly mode as a first step.

Later, I changed the threshold to 40 and xss stack test no longer been blocked.

SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=40”

Last, but not least I added tx score to the following rule which is a custom one from me as I experimented with the valued, but I am always blocked. Is the problem in the rule (40 scores shouldn’t be reached from one rule)?

SecRule ARGS|REQUEST_URI "c99" "phase:3,log,id:153,setvar:tx.anomaly_score=0”

Should I do something other or now I should play only with this score? Are there any best practices or something other to suggest me?

Best regards,
Georgi Georgiev
Post by Christian Folini
Georgi,
Yes, this is all correct.
Glad to help (just not always with enough time at my hands...)
Cheers,
Christian
Post by Georgi Georgiev
SecDefaultAction "log,deny,phase:1"
So, by your recommendation I understand that I should remove this lines to start using anomaly mode. Then, on every rule I can/ should add with setvar:tx.anomaly_score=5(for example) so I can control it’s score?
Also to decrease the false positives as a second step from the setup should I increase the threshold value here - or I am wrong?
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=5"
Post by Christian Folini
Hello Georgi,
CRS3 comes with default rule exclusions for WP and Drupal that solve
many of the base installations FPs. Collaborating with the project on
a set of Joomla rule exclusions would be most helpful.
Starting with a higher anomaly threshold while you weed out the false
positives is a method that I advocate in my documentation.
Making sure that you do not base your tuning efforts on attack traffic
is an obvious problems. There are multiple approaches to this, and none
of them is hard science. I usually try to start off with tuning based on
known IP ranges.
This is all discussed in great detail in the series of ModSecurity
tutorials at https://www.netnea.com/cms/apache-tutorials/
Besides, I am also running two public ModSec courses in October.
Good luck!
Christian
Post by Georgi Georgiev
Hello,
I am deploying mod security with nginx in shared hosting environment and most of the websites are Wordpress, Joomla and drupal. I don’t want to rewrite all the rules of owasp to minimize the false positives. Also, I searched for specific for Wordpress or Joomla ruleset but couldn’t find such thing (it would be very resourceful to research for every Wordpress and Joomla hack, even the most famouse one and to write rules about it, also to read how to write rules :)). Even, if I put mod security initially in a mode that does not block , only to log it would be very hard to see very queer if it’s false positive or whether it come from evil sources.
I read that right practice is to change the score of the anomaly but didn’t understand it at all.
So, I would like to ask you how you deal with this? I know that false positives will be there all the time, but how you minimize them? Write your own ruleset? Is there any paid ruleset that you can recommend (it think that I found only one paid and many people cry from it). Just I want to explain me the process you follow with the rules :)
Thank you in advance!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
https://www.feistyduck.com/books/modsecurity-handbook/
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
Georgi Georgiev
2017-08-17 16:27:49 UTC
Permalink
I am getting started :) I would like to finally ask you these questions. I would be very thankful if you answer me.

1. Is really paranoia level 1 less false postitive for a shared hosting environment and in such time enough for protection? Does it protect from sql injection and xss as I read that they are included in paranoia level2? What is the best practice - initially start with paranoia level 1, tune it and then switch to 2?

2. What is your anomaly inbound score set? Have you changed it to something other than 5 or you leaved it to 5 and changed the score of the rules?

3. I am not sure how to tune the tx.score for every rule in the OWASP as they are with variables such as follow:

SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"


Is this the correct default scores for the specific rulesets and attacks that I should tune?

# All _score variables start at 0, and are incremented by the various rules
# upon detection of a possible attack.
# sql_error_match is used for shortcutting rules for performance reasons.

SecAction \
"id:901200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.anomaly_score=0,\
setvar:tx.sql_injection_score=0,\
setvar:tx.xss_score=0,\
setvar:tx.rfi_score=0,\
setvar:tx.lfi_score=0,\
setvar:tx.rce_score=0,\
setvar:tx.php_injection_score=0,\
setvar:tx.http_violation_score=0,\
setvar:tx.session_fixation_score=0,\
setvar:tx.inbound_anomaly_score=0,\
setvar:tx.outbound_anomaly_score=0,\
setvar:tx.sql_error_match=0


4. Should I adjust the percentage of requests that are funnelled into the Core Rules below 100 as it’s recommended on some pages? Does this affect the false positives or only the performance?

Best regards,
Georgi Georgiev
Post by Georgi Georgiev
Ok, I removed the line SecDefaultAction "log,deny,phase:1” so now I am in anomaly mode as a first step.
Later, I changed the threshold to 40 and xss stack test no longer been blocked.
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=40”
Last, but not least I added tx score to the following rule which is a custom one from me as I experimented with the valued, but I am always blocked. Is the problem in the rule (40 scores shouldn’t be reached from one rule)?
SecRule ARGS|REQUEST_URI "c99" "phase:3,log,id:153,setvar:tx.anomaly_score=0”
Should I do something other or now I should play only with this score? Are there any best practices or something other to suggest me?
Best regards,
Georgi Georgiev
Post by Christian Folini
Georgi,
Yes, this is all correct.
Glad to help (just not always with enough time at my hands...)
Cheers,
Christian
Post by Georgi Georgiev
SecDefaultAction "log,deny,phase:1"
So, by your recommendation I understand that I should remove this lines to start using anomaly mode. Then, on every rule I can/ should add with setvar:tx.anomaly_score=5(for example) so I can control it’s score?
Also to decrease the false positives as a second step from the setup should I increase the threshold value here - or I am wrong?
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=5"
Post by Christian Folini
Hello Georgi,
CRS3 comes with default rule exclusions for WP and Drupal that solve
many of the base installations FPs. Collaborating with the project on
a set of Joomla rule exclusions would be most helpful.
Starting with a higher anomaly threshold while you weed out the false
positives is a method that I advocate in my documentation.
Making sure that you do not base your tuning efforts on attack traffic
is an obvious problems. There are multiple approaches to this, and none
of them is hard science. I usually try to start off with tuning based on
known IP ranges.
This is all discussed in great detail in the series of ModSecurity
tutorials at https://www.netnea.com/cms/apache-tutorials/ <https://www.netnea.com/cms/apache-tutorials/>
Besides, I am also running two public ModSec courses in October.
Good luck!
Christian
Post by Georgi Georgiev
Hello,
I am deploying mod security with nginx in shared hosting environment and most of the websites are Wordpress, Joomla and drupal. I don’t want to rewrite all the rules of owasp to minimize the false positives. Also, I searched for specific for Wordpress or Joomla ruleset but couldn’t find such thing (it would be very resourceful to research for every Wordpress and Joomla hack, even the most famouse one and to write rules about it, also to read how to write rules :)). Even, if I put mod security initially in a mode that does not block , only to log it would be very hard to see very queer if it’s false positive or whether it come from evil sources.
I read that right practice is to change the score of the anomaly but didn’t understand it at all.
So, I would like to ask you how you deal with this? I know that false positives will be there all the time, but how you minimize them? Write your own ruleset? Is there any paid ruleset that you can recommend (it think that I found only one paid and many people cry from it). Just I want to explain me the process you follow with the rules :)
Thank you in advance!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
https://www.feistyduck.com/books/modsecurity-handbook/ <https://www.feistyduck.com/books/modsecurity-handbook/>
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course <https://www.feistyduck.com/training/modsecurity-training-course>
https://www.feistyduck.com/books/modsecurity-handbook/
Christian Folini
2017-08-18 08:29:53 UTC
Permalink
Hey Georgi,
Post by Georgi Georgiev
1. Is really paranoia level 1 less false postitive for a shared hosting
environment and in such time enough for protection?
That depends on your assessment of your data, its value and the threat
model.

I think PL1 is base level of security, PL2 is security for data with
some value, PL3 is online banking, PL4 is nuclear power plant. Just as a
rough guidance. ;)
Post by Georgi Georgiev
Does it protect from
sql injection and xss as I read that they are included in paranoia level2?
Yes, the biggest part of the SQLi protection is the use of the
libinjection library that is included in PL1.
Post by Georgi Georgiev
What is the best practice - initially start with paranoia level 1, tune it
and then switch to 2?
That is a very good question. In fact if you aim to run in PL2, it is
far easier to start in PL2 immediately and then tune down. The problem
is that if you run in PL1 and have tuned the service to a hard blocking
setting, the enabling of PL2 will bring you new rules, new false
positives and legitimate users being blocked.
Post by Georgi Georgiev
2. What is your anomaly inbound score set? Have you changed it to
something other than 5 or you leaved it to 5 and changed the score of the
rules?
For a productive system it should be 5. After the tuning.
Post by Georgi Georgiev
3. I am not sure how to tune the tx.score for every rule in the OWASP as
"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
Is this the correct default scores for the specific rulesets and attacks
that I should tune?
Don't touch the rules. You only want to change the anomaly score limit
in the crs-setup.conf file - and then create your rule exclusions as
documented in the tutorials.
Post by Georgi Georgiev
4. Should I adjust the percentage of requests that are funnelled into the
Core Rules below 100 as itâ**s recommended on some pages? Does this affect
the false positives or only the performance?
This is a feature that is only useful when gauging the performance
impact of ModSec / CRS. You definitely need to have this at 100 or an
attacker can submit an exploit n times and eventually he will bypasss
the rule set based on your sampling rate being below 100%.

Ahoj,

Christian
--
History teaches us that men and nations behave wisely once they have
exhausted all other alternatives.
-- Abba Eban
Loading...