This might be a very tall order but here it goes.

I have a client with a forum where the participants talk about things that often challenge the ASL rules. This often produces a false positive. As a result they contact me and I contact Atomic Support. Then I get to chase down the false positive (most often using that tool of tools, grep) and paste it into an email (since it's long since fallen off the GUI). He's frustrated and I don't have time to run through his logs looking for false positives all the time. Worst of all, he wants modsec turned off because of that frustration. I don't blame him but, at the same time, I want my server to be secure. I might just shut off anti-spam rules for that domain but that's less than optimal for both him and his users who will see an immediate jump in spam and XSS attacks.. I see all the value of ASL but he really can't.

What would be superb is for my client to see exactly what ASL is doing for him. A mini-GUI, basically. I could give him a login (or maybe tie it to his Plesk login?) and he could see ASL events related to his domains. If he had a false positive he could report it to me directly and I could then, with one click, turn around and report it to you guys.

Win for him because now he sees all the crap ASL is blocking and can do something constructive about FP reports.
Win for me because I can simply see there's a FP for me to approve and I don't have to chase anything down.
Win for ASL because reporting just got a lot easier.

Well, you could set up a monitor thing that would extract anything involving his domain from the logs and email them to him every night. Alternatively, you could do the same thing and stick them into a directory on his website with a simple gui on top with a button that allows him to email you the false positives. Probably a day's work to get done and debugged?

The alternative I'd go for, however, would be to ask him to improve the security on his forum. Specifically, for him to manually approve everybody who joins (and to ask some non-trivial questions during sign-up -- this will help weed out at least 75% of the spammers and script kiddies), and ideally to moderate new posts from said new members for a few days. You could then disable certain rules without significant risk to security.

Depending on the forum, you could alternatively or additionally block access to it from certain countries. Seriously -- the number of mod_sec alerts we get is almost insignificant since we started blocked the "usual suspects".

You are welcome to try our mod_sec DNSBL for a week or so to see how well it works (or does not). I'd be happy to customise which countries it blocks for you too. If it works well then you might consider setting up your own - it is not hard to get set up, but does need a dedicated IP to run the dnsbl on, at least in my implementation.

Faris.

Neat idea. We'll look into the dependencies. This would require some pretty tight integration with the control panel to figure out what users have access to which domains. Much to think about...