Re: [Owasp-modsecurity-core-rule-set] Why are rules 960034, 960035 and 960038 phase 2?

[Barry Pollard]

Hi Christian,
Thanks for your reply.
While I agree the distinction at an Apache level is now meaningless (without 
changing compile options), there is still a usefulness at a ModSecurity level 
for ordering of rules (e.g. I want to whitelist after phase1 for example, 
primarily to reduce setting up of collections in phase 2 as much as possible as 
collections struggle with volume).
Will open the request on github and guess I should finally make the effort to 
stop living in the past and bring myself up to speed on git and pull requests, 
so I can actually contribute rather than just observing :-)
Not done a full review. These just jumped out at me due to a weird issue I 
noticed.
To save anyone else repeating my struggles, the latest version of mod_http2 
(1.5.1) changes the protocol logged from HTTP/2 to HTTP/2.0 so if you only have 
HTTP/2 allowed in modsecurity_crs_10_setup.conf then requests that reach phase 
2 will start blocking and if, like me, you whitelist "most" requests after 
phase 1 this might confuse you for a bit as to why only some are blocked!
Thanks,Barry

> Date: Thu, 28 Apr 2016 08:34:07 +0200
> From: christian.fol...@netnea.com
> To: barry_poll...@hotmail.com
> CC: owasp-modsecurity-core-rule-set@lists.owasp.org
> Subject: Re: [Owasp-modsecurity-core-rule-set] Why are rules 960034, 960035 
> and 960038 phase 2?
> 
> Hi Barry,
> 
> The distinction between phase:1 and phase:2 was blurred with the moving
> of the phase:1 onto the same apache hook a few years back (in order to
> make SecRule phase:1 work in Location blocks).
> 
> But for people compiling with --enable-request-early and thus having a
> real phase:1 before the request body is received, for these people
> moving rules into phase:1 when possible makes a lot of sense.
> 
> I support your request and suggest you open a github issue. A direct
> pull request for the 3.0.0rc1 branch would be equally welcome.
> 
> In case: Did you check all the rules for phase:1 candidates or these
> just the ones that jumped on you?
> 
> Ahoj,
> 
> Christian
> 
> -- 
> Do not pray for an easy life.
> Pray for the strength to endure a difficult one.
> -- Bruce Lee
                                          
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set