Hello,

i don't know if it's necessary to change since all crs rules match the
pattern TX:/^\d+\-/.
But if it's needed to match the original pattern and the new one then we
only need to change it to
SecRule TX:/^\d+\-/|TX:/^\d/ "(.*)"
This Rule would match first the \d+\-/ so this would still count when a crs
rule is matched but if none matched the /^\d/ is there for local rules.

Best Regards
Michael


2013/8/8 chris derham <ch...@derham.me.uk>

> Ah ok - my bad. Guess I didn't understand your original post properly :-(
>
> So what I (now) think you saying is "some of the rules in
> modsecurity_crs_41_sql_injection_attacks.conf will no longer work with
> anomaly scoring blocking, as they don't include
> "setvar:tx.%{rule.id}-SOMETHING". I had a look and see that if you
> search for "setvar:'tx.%{tx.msg}-", you will get 22 hits. My guess is
> that you are trying to say that these be changed to become
> "setvar:'tx.%{tx.id}-"
>
> Does that sum up what you are trying to say? That still doesn't add up
> to me. The highlighted change only really altered the regex used -
> moving from a number to a number terminated by a space. This won't
> cause the issue you describe. I guess you are saying that since the
> last time you coded your rule, this has changed, and this is the last
> change on that file? The initial version of the file on 14th Sep 2012
> had the line "SecRule TX:/^\d/ "(.*)"" which would still require
> "setvar:tx.%{rule.id}-SOMETHING". I guess you need to explain what
> your concern really is - well at least to me. Perhaps everyone else
> understands already - sorry for been slow
>
> Thanks
>
> Chris
>
> On Thu, Aug 8, 2013 at 2:44 PM,  <rp-modsec-crs-l...@bev.net> wrote:
> > I posted the orignal question. But, let me add some clarification.
> > Almost all of the stock CRS rules will block in anomaly scoring mode
> as-is.
> > But, there are couple in the SQLi rules (I think) that might not (don't
> > have those handy).
> >
> > The other words, if you doing nothing but straight CRS with no local or
> > third
> > party rules, no problems.
> >
> > The issue is that local (or possibly non-CRS third party) rules you've
> added
> > (on top of CRS) with scoring will need more than just the score now. You
> > must
> > also have a "setvar:tx.%{rule.id}-SOMETHING" (the need for a dash is
> what
> > effectively got changed).
> >
> > -RP
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set@lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to