Hey Philippe, On Thu, Nov 30, 2017 at 10:13:46AM +0100, Philippe Naudin wrote: > This is because 3.0.0 rules had a tag starting with OWASP_CRS/, and I > use this tag to exclude all C.R.S. rules in rare cases like : > ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:sql_query > But this tag is gone in some rules of version 3.0.2 (for exemple rules > 921110 and following in REQUEST-921-PROTOCOL-ATTACK.conf).
I do not see this widespread tag to be in use on 921110 in 3.0.0 nor in 3.0.2. In fact the whole 921xxx rule file did not see any change between these two versions. Tags are not used in a systematic manner in CRS unfortunately. But a big rule cleanup project has finished and systematization of the tagging is high on the wishlist now. If you want to disable CRS completely for a given request, there are multiple options. A very good one is to remove all rule ids from 900000-999999 while in phase 1. e.g.: ctl:ruleRemoveTargetById=900000-999999;ARGS:sql_query Ahoj, Christian > > Is there a better way to achieve this (completely excluding an element > of a request from exam) ? > > Thanks for your advices, > > -- > Philippe Naudin > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
