You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 14, 2020. It is now read-only.
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+16-32Lines changed: 16 additions & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -69,69 +69,56 @@ please adhere to the following contributing guidelines.
69
69
skipAfter
70
70
```
71
71
72
+
## Variables naming conventions
73
+
74
+
* Variable names are lowercase using chars from `[a-z0-9_]`
75
+
* To somewhat reflect the fact that the syntax for variable usage is different when you define it (using setvar) and when you use it, we propose the following visual distinction:
76
+
* Capital letters for collection, colon as separator, variable name. E.g: `SecRule TX:foo_bar_variable`
77
+
* Lowercase letters for collection, dot as separator, variable name. E.g: `setvar:tx.foo_bar_variable`
78
+
72
79
## Rules compliance with each Paranoia Level (PL)
73
80
74
-
Rules in the CRS are organized in Paranoia Levels, which are described below.
81
+
Rules in the CRS are organized in Paranoia Levels, which allows you to choose the desired level of rule checks.
75
82
76
83
**PL0:**
77
84
78
85
* Modsec installed, but almost no rules
79
-
* Compliance check box ok but no flowers
80
86
81
87
**PL1:**
82
88
83
-
* Compliance check box ok with flowers
84
-
* Atomic checks in single rule
89
+
* Default level, keep in mind that most installations will normally use this one.
90
+
* If there is a complex memory consuming/evaluation rule it surely will be on upper levels, not this one
91
+
* Normally we will use atomic checks in single rules
85
92
* Confirmed matches only, all scores are allowed
86
-
* No false positives / Low FP
87
-
* False negatives are ok
88
-
* Your AWS free tier VM will run this for 100's sites
89
-
* Easy log management, grep is your friend
93
+
* No false positives / Low FP (Try to avoid adding rules with potential false positives!)
94
+
* False negatives could happen
90
95
91
96
**PL2:**
92
97
93
-
* Compliance check box ok you are getting in security side
94
-
* Chains usage is OK
98
+
* Chains usage are OK
95
99
* Confirmed matches use score critical
96
100
* Matches that cause false positives are limited to use score notice or warning
97
101
* Low False positive rates
98
102
* False negatives are not desirable
99
-
* Your AWS free tier VM will run this for 100 sites
100
-
* Easy log management, grep is your friend, turn yourself into regex/greping pro
101
103
102
104
**PL3:**
103
105
104
-
* Compliance check box ok you are well into security, check before shooting
105
106
* Chains usage with complex regex look arounds and macro expansions
106
107
* Confirmed matches use score warning or critical
107
108
* Matches that cause false positives are limited to use score notice
108
109
* False positive rates increased but limited to multiple matches (not single string)
109
-
* False negatives are evil
110
-
* Your AWS free tier VM will run this for 10's sites
111
-
* Using LB is recommended
112
-
* Not easy to hard log management, turn yourself into regex/greping ninja and get a SIEM
110
+
* False negatives should be a very unlikely accident
113
111
114
112
**PL4:**
115
113
116
-
* Compliance check box ok you bread security and you shoot whatever thing moves, shoot fist ask later
117
114
* Every item is inspected
118
115
* Variable creations allowed to avoid engine limitations
119
116
* Confirmed matches use score notice, warning or critical
120
117
* Matches that cause false positives are limited to use score notice and warning
121
118
* False positive rates increased (even on single string)
122
-
* False negatives are a kick in the ...
119
+
* False negatives should not happen here
123
120
* Check everything against RFC and white listed values for most popular elements
124
-
* Your AWS free tier VM will run this for a site
125
-
* You better use a LB
126
-
* Beg you are using ELK to manage your logs and have your ninja sword always sharp and have spare swords available at all times
127
-
* Red pill or blue pill?
128
121
129
-
**PL5:**
130
-
131
-
* Damn, why you took the red one?!
132
-
* go beyond modsec capabilities
133
-
* go Where No Man Has Gone Before
134
-
* Your WAF accepts only a single string with 1 letter in it hahahaha
135
122
136
123
## ID Numbering Scheme
137
124
@@ -156,6 +143,3 @@ Within a rule file / block, there are sometimes smaller groups of rules that bel
156
143
Stricter siblings often have a different paranoia level. This means that the base rule and the stricter sibling do not reside next to one another in the rule file. Instead they are ordered in their appropriate paranoia level and can be linked via the first digits of the rule id. It is a good practice to introduce stricter siblings together with the base rule in the comments of the base rule and to reference the base rule with the keyword stricter sibling in the comments of the stricter sibling. E.g. "... This is
157
144
performed in two separate stricter siblings of this rule: 9XXXX1 and 9XXXX2", "This is a stricter sibling of rule 9XXXX0."
0 commit comments