On 12/10/10 12:00 PM, "Jim Riggs" <[email protected]> wrote:
> I'm in the process of moving from an old, stale modsec/crs config to the > current version. In doing so, I am trying to understand a couple of things in > particular with regards to getting all of the config files loaded in order in > Apache. > > As we all know, the file structure looks like this: > > modsec/ > + modsecurity_crs_10_config.conf.example > + modsecurity_crs_48_local_exceptions.conf.example > + base_rules/ > | - *.conf *.data > + optional_rules/ > | - *.conf *.data > + ... > > The implication of this structure is that you will create your own local 10 > and 48 files and put them in the top-level directory alongside the example > files. BUT, then the docs say that your apache config should be as follows: > > Include modsec/*.conf > Include modsec/base_rules/*.conf > > So, my local 10 and 48 get loaded first, followed by the base_rules, which I > don't believe will work correctly, right? The 48 needs to be loaded after the > rules but before 49, no? If my logic is correct, what is the best way to fix > this?: > > - Move 48.example into base_rules and update docs to say that the conf file > needs to be created and edited in there? Hey Jim, This is the recommended approach. Previously, we had the file in the base_rules directory and it was called modsecurity_crs_48_local_exceptions.conf. We needed to change this as a CRS update would overwrite the locally updated file. I initially moved it up one level to get it out of the base_rules directory sot that it wouldn't accidentally be included in an Include wildcard directive. After looking at this some more, we still had issues with people wild-carding all *.conf in the main directory.... So, I went in and renamed it to have an ".example" extension. With this new extension, we can now just move it back to the base_rules directory. So, to make this long explanation clear :) We will move the modsecurity_crs_48_local_exceptions.conf.example file back into the base_rules directory. Users should then rename it and drop the ".example" extension when they want to add local exceptions. This should make updates easier as the CRS will only update the ".extension" file and it should be in the right location to work with the numbering scheme. Sorry for the confusion :) -Ryan > > - Update docs to say that you shouldn't Include base_rules/*.conf but should > instead move the conf/data files you want into the top-level dir? (Not a good > idea IMO.) > > - Update the Apache config example to load files one at a time or by other > fnmatch()-type patterns that will get 48 put in the right place? (Again, > probably not a good idea.) > > - ??? (Am I missing something?) > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
