Comments inline below.
________________________________
From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org
[owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] on behalf of Leonardo
Bacha Abrantes [leona...@lbasolutions.com]
Sent: Tuesday, March 12, 2013 8:04 AM
To: OWASP Mod Security
Subject: [Owasp-modsecurity-core-rule-set] impact to update modsecurity
Hi guys,
good morning!!
My apache server is working with modsecurity 2.7.0-rc2 and I thinking to update
it to crs-2.2.7-13-g40b2c75.
Are you also able to update ModSecurity itself? Our current stable release is
v2.7.2 and we will be releasing v2.7.3 later this month. I always recommend
updating the current versions as we fix bugs and add new important features.
I created a file modsecurity_crs_15_custom_rules.conf with some rules about
false positives as:
SecRule REQUEST_URI "^/admin/settings/ckeditor"
id:30,phase:1,chain,log,t:none,allow
SecRule REMOTE_ADDR "@rx ^10\.21\.12\.150" t:none,ctl:ruleEngine=off
<Location "/">
SecRuleRemoveById 960017
</Location>
I would like to know what is the impact if I migrate to the new version of
modsecurity, I mean, will the rules below work, etc ?
Updating to newer ModSecurity version should not impact your rules. One note
about doing these types of exceptions:
1. For your first rule - I would recommend using the @ipMatch operator as it
was created specifiecally to handle IP addresses. There are many errors that
could be made when using @rx to analyze IP addresses.
2. For your second rule - you do not need to place this within Apache scope
containers (Location). You can just specify it on its own. One recommendation
however, when you are using these types of "explicit" rule removals (mean that
they are not contingent upon run time data) you should move them to run *after*
the normal CRS rules in a file called - modsecurity_crs_60_custom_rules.conf.
When using SecRuleRemoveById, the rule it is disabling has to have already been
read at startup. If you define the SecRuleRemoveById *before* the rule it is
disabling, it will not work as the rule ID data is not yet in memory.
->> second question
SecRule REQUEST_URI "^/admin/settings/ckeditor"
id:30,phase:1,chain,log,t:none,allow
SecRule REMOTE_ADDR "@rx ^10\.21\.12\.150" t:none,ctl:ruleEngine=off
why if I replace ruleEngine=off by SecRuleRemoveById=960017, for example, it
will fail ?
The reason is that SecRuleRemoveByID is a directive. You can not include it
within the SecRule action line. You can use ctl:ruleRemoveById=960017 instead.
-Ryan
many thanks!
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
