Hello, i don't know if it's necessary to change since all crs rules match the pattern TX:/^\d+\-/. But if it's needed to match the original pattern and the new one then we only need to change it to SecRule TX:/^\d+\-/|TX:/^\d/ "(.*)" This Rule would match first the \d+\-/ so this would still count when a crs rule is matched but if none matched the /^\d/ is there for local rules.
Best Regards Michael 2013/8/8 chris derham <ch...@derham.me.uk> > Ah ok - my bad. Guess I didn't understand your original post properly :-( > > So what I (now) think you saying is "some of the rules in > modsecurity_crs_41_sql_injection_attacks.conf will no longer work with > anomaly scoring blocking, as they don't include > "setvar:tx.%{rule.id}-SOMETHING". I had a look and see that if you > search for "setvar:'tx.%{tx.msg}-", you will get 22 hits. My guess is > that you are trying to say that these be changed to become > "setvar:'tx.%{tx.id}-" > > Does that sum up what you are trying to say? That still doesn't add up > to me. The highlighted change only really altered the regex used - > moving from a number to a number terminated by a space. This won't > cause the issue you describe. I guess you are saying that since the > last time you coded your rule, this has changed, and this is the last > change on that file? The initial version of the file on 14th Sep 2012 > had the line "SecRule TX:/^\d/ "(.*)"" which would still require > "setvar:tx.%{rule.id}-SOMETHING". I guess you need to explain what > your concern really is - well at least to me. Perhaps everyone else > understands already - sorry for been slow > > Thanks > > Chris > > On Thu, Aug 8, 2013 at 2:44 PM, <rp-modsec-crs-l...@bev.net> wrote: > > I posted the orignal question. But, let me add some clarification. > > Almost all of the stock CRS rules will block in anomaly scoring mode > as-is. > > But, there are couple in the SQLi rules (I think) that might not (don't > > have those handy). > > > > The other words, if you doing nothing but straight CRS with no local or > > third > > party rules, no problems. > > > > The issue is that local (or possibly non-CRS third party) rules you've > added > > (on top of CRS) with scoring will need more than just the score now. You > > must > > also have a "setvar:tx.%{rule.id}-SOMETHING" (the need for a dash is > what > > effectively got changed). > > > > -RP > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set