ctl:ruleRemoveById must appear BEFORE the rule in question. Where as SecRuleRemoveByID must appear after. See the excerpt from this issue (https://github.com/SpiderLabs/ModSecurity/issues/209). Hope this isn’t too confusing :)
From: Guilherme Y <asiaya...@hotmail.com<mailto:asiaya...@hotmail.com>> Date: Friday, May 15, 2015 at 10:51 AM To: Barry Pollard <barry_poll...@hotmail.com<mailto:barry_poll...@hotmail.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Rule 960009 generates false positives from my own server IP ctl:ruleRemoveById ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
