I'm in the process of moving from an old, stale modsec/crs config to the current version. In doing so, I am trying to understand a couple of things in particular with regards to getting all of the config files loaded in order in Apache.
As we all know, the file structure looks like this: modsec/ + modsecurity_crs_10_config.conf.example + modsecurity_crs_48_local_exceptions.conf.example + base_rules/ | - *.conf *.data + optional_rules/ | - *.conf *.data + ... The implication of this structure is that you will create your own local 10 and 48 files and put them in the top-level directory alongside the example files. BUT, then the docs say that your apache config should be as follows: Include modsec/*.conf Include modsec/base_rules/*.conf So, my local 10 and 48 get loaded first, followed by the base_rules, which I don't believe will work correctly, right? The 48 needs to be loaded after the rules but before 49, no? If my logic is correct, what is the best way to fix this?: - Move 48.example into base_rules and update docs to say that the conf file needs to be created and edited in there? - Update docs to say that you shouldn't Include base_rules/*.conf but should instead move the conf/data files you want into the top-level dir? (Not a good idea IMO.) - Update the Apache config example to load files one at a time or by other fnmatch()-type patterns that will get 48 put in the right place? (Again, probably not a good idea.) - ??? (Am I missing something?) _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
