I'm running an application with mod_security as a host based firewall. I've successfully gotten the CRS installed and have come across my first false positive that I now need to handle. I have a couple hurdles to deal with if I'm going to be making changes to the CRS to deal with any false positives I run into. The first issue, is that I of course want to be able to easily update CRS in the future, so I'm concerned about making changes to the CRS files that may conflict with future updates. The second is that my application runs on a scalable array of servers, so changing the files on one server isn't really an option anyway.
ideally I'd like to have a file of "exceptions" installed on each server when the server starts up, that is loaded in addition to all the default rules, without having to modify those files. Then all I have to do is manage the script that creates that exception file. Is this technique possible with mod_security + crs? /John _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
