Thread: [mod-security-users] updating action for multiple rules with same id
Brought to you by:
victorhora,
zimmerletw
From: R.A. I. <li...@fl...> - 2008-10-11 07:20:14
|
Hello, I have run into a minor hitch trying to update the actions of the default core set when several of the original rules have the same id. For example, modsecurity_crs_21_protocol_anomalies.conf contains two with id 960008, one for empty host headers and one for missing host headers: SecRule &REQUEST_HEADERS:Host "@eq 0" \ "skip:1,phase:2,t:none,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/ MISSING_HEADER',severity:'4'" SecRule REQUEST_HEADERS:Host "^$" \ "phase:2,t:none,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/ MISSING_HEADER',severity:'4'" In line with the recommendation not to edit the files with the original core rules but rather modify them by additional rules, I put this one into the apache httpd.conf: SecRuleUpdateActionById 960008 "drop,exec:/sbin/ blacklist_web,tag:'blacklisted'" But this only updates the first of the two above. How best to proceed? Many thanks! Robert Imhoff |
From: Brian R. <Bri...@br...> - 2008-10-20 22:26:27
|
R.A. Imhoff wrote: > Hello, > > I have run into a minor hitch trying to update the actions of the > default core set when several of the original rules have the same id. > > For example, modsecurity_crs_21_protocol_anomalies.conf contains two > with id 960008, one for empty host headers and one for missing host > headers: > > SecRule &REQUEST_HEADERS:Host "@eq 0" \ > "skip:1,phase:2,t:none,log,auditlog,msg:'Request Missing a Host > Header',id:'960008',tag:'PROTOCOL_VIOLATION/ > MISSING_HEADER',severity:'4'" > SecRule REQUEST_HEADERS:Host "^$" \ > "phase:2,t:none,log,auditlog,msg:'Request Missing a Host > Header',id:'960008',tag:'PROTOCOL_VIOLATION/ > MISSING_HEADER',severity:'4'" > > > In line with the recommendation not to edit the files with the > original core rules but rather modify them by additional rules, I put > this one into the apache httpd.conf: > > SecRuleUpdateActionById 960008 "drop,exec:/sbin/ > blacklist_web,tag:'blacklisted'" > > But this only updates the first of the two above. > > How best to proceed? You are correct. This will not work. It is a bug (well, maybe just a "known-issue"), but I am not sure I would call it a bug in ModSecurity, but rather the ruleset should not be using multiple rules with the same ID. Please file a bug report here: https://www.modsecurity.org/tracker/ I would just update the ruleset for now. thanks, -B -- Brian Rectanus Breach Security |