On Thu, Nov 8, 2012 at 4:51 PM, Aaron M. Brown <aambrown@uindy.edu> wrote:
Hello list subscribers,

Is it possible to disable some of the CRS rules by default for all virtualhosts on a server and then enable rules for specific locations?

Hi Aaron,

How are you including the CRS rules? Have your tried specifying the rule sets you want in each individual virtual host config?
 We tried the opposite approach - enable all CRS rules for all VirtualHosts and disable rules for specific locations using the LocationMatch directive and SecRuleRemoveById. But we ended up getting thousands of false positives on pages that didn't really need some of the CRS enabled.

Also, are there any good tools (can be command line / GUI / whatever) for viewing a modsec log by hostname?  I'd like to be able to see which rules we should disable / enable by looking at the logs we have collected.  It would be helpful if I could pull the audit records for a particular host.

Have you looked at AuditConsole (http://jwall.org/web/audit/console/index.jsp)

 - Josh

Thanks in advance!

Aaron Brown

Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: