Re: [Mod-security-developers] Comodo reserving rule IDs 200, 000-299, 000, Oracle 100, 000-199, 000

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Wed, Jun 15, 2016 at 06:48:16AM +0200, Christian Folini wrote:
> Hi there,
> 
> According to the reference manual, Comodo has reserved the rule
> ids 200,000 to 299,000, while the first ids in this range are
> part of the rules distributed together with the ModSecurity
> sourcecode.
> 
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id
> 
> Does anybody know more about this, or do we just remove that as
> nonsensical?
> 
> Outside of that, 100,000-199,999 used to be reserved for internal use by
> the engine, now they are claimed by Oracle. 

I checked git and the commit was done by Ryan Barnett in early 2014.

> commit 5ef12e380334fc176fee7b0444da3057befd6c1e
> Author: Ryan Barnett <rcb...@gm...>
> Date:   Wed Jan 15 05:38:14 2014 -0800
>
>    Updated Reference Manual (mediawiki)


$> git diff 855942da..5ef12e38

diff --git a/Reference-Manual.mediawiki b/Reference-Manual.mediawiki
index eed1f05..5d26bc4 100644
--- a/Reference-Manual.mediawiki
+++ b/Reference-Manual.mediawiki
@@ -2944,8 +2944,8 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Miss
 These are the reserved ranges:
 
 *1–99,999: reserved for local (internal) use. Use as you see fit, but do not use this range for rules that are distributed to others
-*100,000–199,999: reserved for internal use of the engine, to assign to rules that do not have explicit IDs
-*200,000–299,999: reserved for rules published at modsecurity.org
+*100,000–199,999: reserved for rules published by Oracle
+*200,000–299,999: reserved for rules published Comodo
 *300,000–399,999: reserved for rules published at gotroot.com
 *400,000–419,999: unused (available for reservation)
 *420,000–429,999: reserved for ScallyWhack [http://projects.otaku42.de/wiki/Scally-Whack]


With ids being mandatory, the 100K range might be no longer needed by 
the engine. Still, it's 100K in the lower rule space.

With 200K range assigned to Comodo, the case is even weirder. The ModSec
project itself is definitely distributing rules in this range in:
https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended

What do we do?

Cheers,

Christian


-- 
Besides, Emacs would be a far better OS if it shipped with a 
halfway-decent text editor - like vi for example.


