Hi Ryan, Many thanks for the explanation!!!!
:) On Tue, Mar 12, 2013 at 1:13 PM, Ryan Barnett <rbarn...@trustwave.com>wrote: > Comments inline below. > > ------------------------------ > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [ > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] on behalf of > Leonardo Bacha Abrantes [leona...@lbasolutions.com] > *Sent:* Tuesday, March 12, 2013 8:04 AM > *To:* OWASP Mod Security > *Subject:* [Owasp-modsecurity-core-rule-set] impact to update modsecurity > > Hi guys, > good morning!! > > My apache server is working with modsecurity 2.7.0-rc2 and I thinking to > update it to crs-2.2.7-13-g40b2c75. > > Are you also able to update ModSecurity itself? Our current stable > release is v2.7.2 and we will be releasing v2.7.3 later this month. I > always recommend updating the current versions as we fix bugs and add new > important features. > > I created a file modsecurity_crs_15_custom_rules.conf with some rules > about false positives as: > > > SecRule REQUEST_URI "^/admin/settings/ckeditor" > id:30,phase:1,chain,log,t:none,allow > SecRule REMOTE_ADDR "@rx ^10\.21\.12\.150" t:none,ctl:ruleEngine=off > > <Location "/"> > SecRuleRemoveById 960017 > </Location> > > I would like to know what is the impact if I migrate to the new version of > modsecurity, I mean, will the rules below work, etc ? > > Updating to newer ModSecurity version should not impact your rules. One > note about doing these types of exceptions: > > 1. For your first rule - I would recommend using the @ipMatch operator > as it was created specifiecally to handle IP addresses. There are many > errors that could be made when using @rx to analyze IP addresses. > 2. For your second rule - you do not need to place this within Apache > scope containers (Location). You can just specify it on its own. One > recommendation however, when you are using these types of "explicit" rule > removals (mean that they are not contingent upon run time data) you should > move them to run *after* the normal CRS rules in a file called - > modsecurity_crs_60_custom_rules.conf. When using SecRuleRemoveById, the > rule it is disabling has to have already been read at startup. If you > define the SecRuleRemoveById *before* the rule it is disabling, it will not > work as the rule ID data is not yet in memory. > > > *->> second question* > > > SecRule REQUEST_URI "^/admin/settings/ckeditor" > id:30,phase:1,chain,log,t:none,allow > SecRule REMOTE_ADDR "@rx ^10\.21\.12\.150" t:none,ctl:*ruleEngine=off* > > why if I replace *ruleEngine=off *by* * > *SecRuleRemoveById=960017*, for example, it will fail ? > > The reason is that SecRuleRemoveByID is a directive. You can not include > it within the SecRule action line. You can use ctl:ruleRemoveById=960017 > instead. > > -Ryan > > many thanks! > > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
