Since a very long time, the rsyslog documentation mentions a lookup table feature, but as a proposal only. However, it is fully implemented as of version 8.18.0 and should become official “very soon”. On top of this, there is a bug in the documentation so the page explaining the actual implementation is not linked from […]
Truth be told, ModSecurity does not have a random function. If we need random numbers, we need to get them ourselves. Josh Zlatin has shown how you can do this with lua. If we do not want to use lua, we are left on your own devices. I am not in need of cryptographically secure […]
Chaim Sanders of Trustwave shared a link to a blogpost with XSS extracted from Reddit’s XSS subreddit. I sat in the train the other day and thought I could kill time by taking a look at the traffic and how ModSecurity and the Core Rules would handle it. Here is the traffic in question. Apparently, […]
The preparations for the OWASP ModSecurity Core Rules Paranoia Mode pull request are continuing. We identified around 45 rules to move into such a mode and I launched a core rules mailinglist discussion on eight or nine controversial cases. See the OWASP wiki for more infos. Given the progress we are making on that front, […]
[UPDATE: There is a separate tutorial about the Handling of False Positives (This article here is mostly about statistical data of the CRS2 rule set. Meanwhile CRS3 has been released).] ModSecurity – or any WAF for that matter – produces false positives. If it does not produce false positives, then it’s probably dead. A strict […]
