Hi Armin,

What was the strange behaviour ?

Note:  In 2.7 ids must be numbers.

Thanks

Breno

On Tue, Nov 29, 2011 at 5:47 AM, Armin Abfalterer <a.abfalterer@gmail.com> wrote:
Hi Nick,

I encountered a related problem yesterday with
"ctl:ruleRemoveById="... mod_security v. 2.6.2 shows strange behaviour
with non-numeric IDs.

Armin


2011/11/29 Nick Gearls <nickgearls@gmail.com>:
> Some more info:
>
> 1. Adding ids to rules does not change the problem (and a lot of rules
> are actually skipped):
>
>    SecRule ... "phase:2,id:1,skipAfter:endOfTest"
>    SecRule ...  "phase:2,id:2,...'"
>    SecMarker endOfTest
>
> 2. Using a numerical id instead of "endOfTest" solves the problem:
>
>    SecRule ... "phase:2,id:1,skipAfter:3"
>    SecRule ...  "phase:2,id:2,...'"
>    SecMarker 3
>
> 3. The "string" syntax works correctly in phase:5 ?!?
>
> Any tip?
>
> Nick
>
> -------- Original Message --------
> Subject:        Strange things with SecMarker
> Date:   Tue, 29 Nov 2011 12:14:08 +0100
> From:   Nick Gearls <nickgearls@gmail.com>
> Reply-To:       nickgearls@gmail.com
> To:     mod-security-users@lists.sourceforge.net
> <mod-security-users@lists.sourceforge.net>
>
>
>
> Hello,
>
> I see very strange things in the debug log with the following example (v
> 2.5.13):
>
>    SecRule ... "phase:2,skipAfter:endOfTest"
>    SecRule ...  "phase:2,...'"
>    SecMarker endOfTest
>
> Debug log:
>
>    Warning. Match of ...
>    Rule returned 1.
>    Skipping after rule 69c0280 id="endOfTest" ->  mode SKIP_RULES.
>    Current rule is id="(null)" [chained 0] is trying to find the
>    SecMarker="endOfTest" [stater 0]
>    Current rule is id="950116" [chained 0] is trying to find the
>    SecMarker="endOfTest" [stater 0]
>    Current rule is id="950116" [chained 0] is trying to find the
>    SecMarker="endOfTest" [stater 0]
>    Current rule is id="(null)" [chained 0] is trying to find the
>    SecMarker="endOfTest" [stater 0]
>    Current rule is id="(null)" [chained 0] is trying to find the
>    SecMarker="endOfTest" [stater 0]
>    ...
>
> It seems that the engine is trying to find some order in the rules ids
> and tries to match rules defined outside this scope.
> Note that I did not define any rule id. Is this a problem?
> Is it mandatory to define ids for all rules to be skipped? If so, do
> they have to be sequential?
>
> Thanks,
>
> Nick
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/