The preparations for the OWASP ModSecurity Core Rules Paranoia Mode pull request are continuing. We identified around 45 rules to move into such a mode and I launched a core rules mailinglist discussion on eight or nine controversial cases. See the OWASP wiki for more infos. Given the progress we are making on that front, […]
[UPDATE: There is a separate tutorial about the Handling of False Positives (This article here is mostly about statistical data of the CRS2 rule set. Meanwhile CRS3 has been released).] ModSecurity – or any WAF for that matter – produces false positives. If it does not produce false positives, then it’s probably dead. A strict […]
It has been a while since we have seen big development in the OWASP ModSecurity Core Rules. This is due to the fact, that the development took place in a separate branch named 3.0.0-dev which adopts many of the newer features and operators included in ModSecurity since 2.7; notably @detectSQLi and @detectXSS. When you take […]
… or how to find an interface object from d.os.interfaces() or d.hw.fans() without a loop. The problem: in Zenoss transforms, I often need to do a check on an attribute of a component, e.g. re.search(‘stuff’, interface.description). The problem is, the event component does not contain the “interface” object. Instead, it contains the interface.getInterfaceName() string. The […]
This is a blog post about the OWASP ModSecurity Core Rules. The rule 981173 was recently updated in the 2.9 core rule branch to reduce the uuid induced false positives for the rule. Uuids are indeed a major source of false positives on this rule, also in installations I know. The said update pulled in […]
