I'm in the process of modifying an existing ModSecurity ruleset and I'm wondering how I should handle the process of adding new, (mainly) untested rules to production systems.
At the moment, we do have a small set of active rules which is clearly not sufficient. I would like to add new rules from the OWASP ruleset without deactivating the already active rules but cannot risk to lose too much traffic because of false positives.
What is the general procedure for this? How do you update ModSecurity rules on your production systems? I think that it's not possible (or very time consuming) to build up adequate testing scenarios for new rules and I would like to expose those rules to "live traffic" to get an reliable impression.
What I basically need would be a way to set new rules to "DetectionOnly" while others are still active and should lead to actual blocking the detected traffic. Can this be done with ModSecurity?
(Also note that we are using ModSecurity in "TraditionalMode". A somewhat limited possibility in AnomalyScoringMode would probably be to set the AnonmalyScore of new rules to 0.)
Thanks!
