Hi there, @Chaim: I am posting to the mailinglist, so this post is archived.
I took a closer look at the id renumbering between 2.2.9 and 3.0.0rc1. (or between 3.0.0-dev and 3.0.0-rc1 to be more precise) as documented in https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv The file brings 177 rule IDs. The origin of most of the rules is clear. But there are a few special cases. Here is the list: 900050 : unknown (possibly introduced with 3.0.0-dev) 900051 : unknown (possibly introduced with 3.0.0-dev) 900051 : unknown (possibly introduced with 3.0.0-dev) 950000 : crs-2.2.9-base-rules-ids 950001 : crs-2.2.9-base-rules-ids 950003 : crs-2.2.9-base-rules-ids 950005 : crs-2.2.9-base-rules-ids 950009 : crs-2.2.9-base-rules-ids 950012 : crs-2.2.9-base-rules-ids 950103 : crs-2.2.9-base-rules-ids crs-2.2.9-base-rules-ids 950104 : unknown (possibly introduced with 3.0.0-dev) 950107 : crs-2.2.9-base-rules-ids 950108 : crs-2.2.9-base-rules-ids 950109 : crs-2.2.9-base-rules-ids 950116 : crs-2.2.9-base-rules-ids 950117 : crs-2.2.9-base-rules-ids 950118 : crs-2.2.9-base-rules-ids 950119 : crs-2.2.9-base-rules-ids 950120 : crs-2.2.9-base-rules-ids 950801 : crs-2.2.9-base-rules-ids 950901 : crs-2.2.9-base-rules-ids 950907 : crs-2.2.9-base-rules-ids 950910 : crs-2.2.9-base-rules-ids 950911 : crs-2.2.9-base-rules-ids 950912 : unknown (possibly introduced with 3.0.0-dev) 950913 : unknown (possibly introduced with 3.0.0-dev) 950914 : unknown (possibly introduced with 3.0.0-dev) 950915 : unknown (possibly introduced with 3.0.0-dev) 950916 : unknown (possibly introduced with 3.0.0-dev) 958230 : crs-2.2.9-base-rules-ids 958231 : crs-2.2.9-base-rules-ids 958295 : crs-2.2.9-base-rules-ids 958977 : crs-2.2.9-base-rules-ids 958978 : unknown (possibly introduced with 3.0.0-dev) 958979 : unknown (possibly introduced with 3.0.0-dev) 958980 : unknown (possibly introduced with 3.0.0-dev) 959151 : crs-2.2.9-base-rules-ids 960000 : crs-2.2.9-base-rules-ids 960006 : crs-2.2.9-base-rules-ids 960007 : crs-2.2.9-base-rules-ids 960008 : crs-2.2.9-base-rules-ids 960009 : crs-2.2.9-base-rules-ids 960010 : crs-2.2.9-base-rules-ids 960011 : crs-2.2.9-base-rules-ids 960012 : crs-2.2.9-base-rules-ids 960015 : crs-2.2.9-base-rules-ids 960016 : crs-2.2.9-base-rules-ids 960017 : crs-2.2.9-base-rules-ids 960021 : crs-2.2.9-base-rules-ids 960032 : crs-2.2.9-base-rules-ids 960034 : crs-2.2.9-base-rules-ids 960035 : crs-2.2.9-base-rules-ids 960038 : crs-2.2.9-base-rules-ids 960208 : crs-2.2.9-base-rules-ids 960209 : crs-2.2.9-base-rules-ids 960335 : crs-2.2.9-base-rules-ids 960341 : crs-2.2.9-base-rules-ids 960342 : crs-2.2.9-base-rules-ids 960343 : crs-2.2.9-base-rules-ids 960901 : crs-2.2.9-base-rules-ids 960904 : crs-2.2.9-base-rules-ids 960911 : crs-2.2.9-base-rules-ids 960912 : crs-2.2.9-base-rules-ids 960914 : crs-2.2.9-base-rules-ids 960915 : crs-2.2.9-base-rules-ids 970003 : crs-2.2.9-base-rules-ids 970004 : crs-2.2.9-base-rules-ids 970009 : crs-2.2.9-base-rules-ids 970013 : crs-2.2.9-base-rules-ids 970014 : crs-2.2.9-base-rules-ids 970015 : crs-2.2.9-base-rules-ids 970017 : unknown (possibly introduced with 3.0.0-dev) 970017 : unknown (possibly introduced with 3.0.0-dev) 970118 : crs-2.2.9-base-rules-ids 970901 : crs-2.2.9-base-rules-ids 970902 : crs-2.2.9-base-rules-ids 970904 : crs-2.2.9-base-rules-ids 973315 : crs-2.2.9-base-rules-ids 973317 : crs-2.2.9-base-rules-ids 973318 : crs-2.2.9-base-rules-ids 973319 : crs-2.2.9-base-rules-ids 973320 : crs-2.2.9-base-rules-ids 973321 : crs-2.2.9-base-rules-ids 973322 : crs-2.2.9-base-rules-ids 973323 : crs-2.2.9-base-rules-ids 973324 : crs-2.2.9-base-rules-ids 973326 : crs-2.2.9-base-rules-ids 973336 : crs-2.2.9-base-rules-ids 973337 : crs-2.2.9-base-rules-ids 973338 : crs-2.2.9-base-rules-ids 973339 : unknown (possibly introduced with 3.0.0-dev) 973340 : unknown (possibly introduced with 3.0.0-dev) 973341 : unknown (possibly introduced with 3.0.0-dev) 973342 : unknown (possibly introduced with 3.0.0-dev) 973343 : unknown (possibly introduced with 3.0.0-dev) 973344 : crs-2.2.9-base-rules-ids 973345 : crs-2.2.9-base-rules-ids 973346 : crs-2.2.9-base-rules-ids 973348 : crs-2.2.9-base-rules-ids 973350 : unknown (possibly introduced with 3.0.0-dev) 981020 : crs-2.2.9-base-rules-ids 981021 : crs-2.2.9-base-rules-ids 981044 : crs-2.2.9-experimental-rules-ids 981045 : crs-2.2.9-experimental-rules-ids 981046 : crs-2.2.9-experimental-rules-ids 981047 : crs-2.2.9-experimental-rules-ids 981048 : crs-2.2.9-experimental-rules-ids 981049 : crs-2.2.9-experimental-rules-ids 981138 : crs-2.2.9-optional-rules-ids 981139 : crs-2.2.9-optional-rules-ids 981140 : crs-2.2.9-optional-rules-ids 981141 : unknown (possibly introduced with 3.0.0-dev) 981142 : crs-2.2.9-experimental-rules-ids 981143 : crs-2.2.9-optional-rules-ids 981144 : crs-2.2.9-optional-rules-ids 981175 : crs-2.2.9-base-rules-ids 981176 : crs-2.2.9-base-rules-ids 981179 : unknown (possibly introduced with 3.0.0-dev) 981180 : crs-2.2.9-optional-rules-ids 981181 : crs-2.2.9-optional-rules-ids 981182 : crs-2.2.9-optional-rules-ids 981183 : unknown (possibly introduced with 3.0.0-dev) 981184 : crs-2.2.9-optional-rules-ids 981186 : unknown (possibly introduced with 3.0.0-dev) 981187 : crs-2.2.9-experimental-rules-ids 981200 : crs-2.2.9-base-rules-ids 981201 : crs-2.2.9-base-rules-ids 981202 : crs-2.2.9-base-rules-ids 981203 : crs-2.2.9-base-rules-ids 981204 : crs-2.2.9-base-rules-ids 981205 : crs-2.2.9-base-rules-ids 981227 : crs-2.2.9-base-rules-ids 981240 : crs-2.2.9-base-rules-ids 981241 : crs-2.2.9-base-rules-ids 981242 : crs-2.2.9-base-rules-ids 981243 : crs-2.2.9-base-rules-ids 981244 : crs-2.2.9-base-rules-ids 981245 : crs-2.2.9-base-rules-ids 981246 : crs-2.2.9-base-rules-ids 981247 : crs-2.2.9-base-rules-ids 981248 : crs-2.2.9-base-rules-ids 981249 : crs-2.2.9-base-rules-ids 981250 : crs-2.2.9-base-rules-ids 981251 : crs-2.2.9-base-rules-ids 981252 : crs-2.2.9-base-rules-ids 981253 : crs-2.2.9-base-rules-ids 981254 : crs-2.2.9-base-rules-ids 981255 : crs-2.2.9-base-rules-ids 981256 : crs-2.2.9-base-rules-ids 981257 : crs-2.2.9-base-rules-ids 981261 : unknown (possibly introduced with 3.0.0-dev) 981270 : crs-2.2.9-base-rules-ids 981272 : crs-2.2.9-base-rules-ids 981276 : crs-2.2.9-base-rules-ids 981277 : crs-2.2.9-base-rules-ids 981318 : crs-2.2.9-base-rules-ids 981319 : crs-2.2.9-base-rules-ids 981320 : crs-2.2.9-base-rules-ids 990002 : crs-2.2.9-base-rules-ids 990901 : crs-2.2.9-base-rules-ids 990902 : crs-2.2.9-base-rules-ids 9700010 : unknown (possibly introduced with 3.0.0-dev) 9700011 : unknown (possibly introduced with 3.0.0-dev) 9700012 : unknown (possibly introduced with 3.0.0-dev) 9700013 : unknown (possibly introduced with 3.0.0-dev) 9700014 : unknown (possibly introduced with 3.0.0-dev) 9700015 : unknown (possibly introduced with 3.0.0-dev) 9700016 : unknown (possibly introduced with 3.0.0-dev) 9700017 : unknown (possibly introduced with 3.0.0-dev) 9700018 : unknown (possibly introduced with 3.0.0-dev) 9700019 : unknown (possibly introduced with 3.0.0-dev) 9700020 : unknown (possibly introduced with 3.0.0-dev) 9700021 : unknown (possibly introduced with 3.0.0-dev) 9700022 : unknown (possibly introduced with 3.0.0-dev) 9700023 : unknown (possibly introduced with 3.0.0-dev) 9700024 : unknown (possibly introduced with 3.0.0-dev) 9700025 : unknown (possibly introduced with 3.0.0-dev) So we have quite a bunch of renumbered rules, which never appeared in a formal release. I assume they were introduced with in the 3.0.0-dev branch. The problem for me are the rules from the optional branches of the 2.2.X ruleset: - optional rules - experimental rules - slr rules The slr rules seem to have been dropped. All 2088 of them. (Anybody ever worked with these in production?) Most of the optional rules and experimental rules are gone as well. However, some of them seem to have been carried over: 981044 : crs-2.2.9-experimental-rules-ids 981045 : crs-2.2.9-experimental-rules-ids 981046 : crs-2.2.9-experimental-rules-ids 981047 : crs-2.2.9-experimental-rules-ids 981048 : crs-2.2.9-experimental-rules-ids 981049 : crs-2.2.9-experimental-rules-ids 981142 : crs-2.2.9-experimental-rules-ids 981187 : crs-2.2.9-experimental-rules-ids 981138 : crs-2.2.9-optional-rules-ids 981139 : crs-2.2.9-optional-rules-ids 981140 : crs-2.2.9-optional-rules-ids 981143 : crs-2.2.9-optional-rules-ids 981144 : crs-2.2.9-optional-rules-ids 981180 : crs-2.2.9-optional-rules-ids 981181 : crs-2.2.9-optional-rules-ids 981182 : crs-2.2.9-optional-rules-ids 981184 : crs-2.2.9-optional-rules-ids But in fact, I think these are false friends: IdNumbering.csv: 981142,910150 981142: (from the experimental rules) # If this is a CSP Violation Report Request, we need to enable request # body population of the REQUEST_BODY variable. This is not done by # default since the request body content-type is JSON. # SecRule REQUEST_FILENAME "@streq %{tx.csp_report_uri}" "phase:1, id:'981142',t:none,nolog,pass,ctl:forceRequestBodyVariable=On" 910150: rules SecRule TX:block_spammer_ip "@eq 1" \ "msg:'HTTP Blacklist match for spammer IP',\ IdNumbering.csv: 981182,949140 981182: (from the optional rules) # # Identifies Stored XSS # If malicious input (with Meta-Characters) is echoed back on any page non-encoded. SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" ... 949140: # # -=[ Local File Inclusion (LFI) Score ]=- # SecRule TX:LFI_SCORE "@ge %{tx.lfi_score_threshold}" \ "msg:'Local File Inclusion (LFI) Anomaly Threshold Exceeded (LFI Score: %{TX.LFI_SCORE})',\ So these two examples are clearly non-aligned. And I suspect so are the other rules with ids which used to appear in the optional and experimental rules. So is this simply an error with the renumbering, or are all optional and experimental rules dropped for 3.0.0? And then there were new rules introduced which by accident re-used rule IDs of the 2.2.X optional and experimental ruleset? I am a bit at loss here and given we are combing all the rules for a possible inclusion in the paranoid mode, this has to be solved. Any response is much appreciated! Christian -- The Devil is not the Prince of Matter; the Devil is the arrogance of the spirit, faith without smile, truth that is never seized by doubt. The Devil is grim because he knows where he is going, and, in moving, he always returns whence he came. -- Umberto Eco _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
