I found a rule ID from CRS 2.2.x that is not listed in IdNumbering.csv
from CRS 3: 970002. It's from modsecurity_crs_50_outbound.conf and
handles "Statistics Information Leakage". I can't find any similar rule
in CRS 3, so I assume this rule was removed?
What I did find in IdNumbering.csv while grepping for 970002 are these
entries:
9700020,951210
9700021,951220
9700022,951230
9700023,951240
9700024,951250
9700025,951260
But I can't find 9700020-9700025 in CRS 2.2.x. Where do those rules come
from? Some older CRS version?
And a more general question: How was IdNumbering.csv compiled? Manually?
Through a script? How reliable would you consider the information in there?
I'm wondering how safe it is to base some automated upgrade steps on
IdNumbering.csv when I'm upgrading our customers from CRS 2.2.x to 3.x.
They usually skip some rules to work around false positives. I know that
this will be a somewhat painful major upgrade. I just don't know if I'd
better make it extra painful by simply removing any skipped rules,
especially since CRS 3.x improves a lot regarding false positives. Maybe
someone can share some experiences?
Thanks for your help!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
