Re: [mod-security-users] SecRuleRemoveByTag not working
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SecRuleRemoveByTag not working
|
From: Eirik Ø. - M. <ltn...@an...> - 2018-03-28 20:26:21
|
Hi there, > Hmm. That is odd. It works for me: > > $> echo 'SecRuleRemoveByTag "platform-apache"' > /tmp/rule.conf > $> /usr/src/modsecurity/modsecurity-v3.0.0/tools/rules-check/modsec-rules-check /tmp/rule.conf > : /tmp/rule.conf -- Loaded 0 rules. > Test ok. Which version and OS is this? >> : t.conf -- RemoveByTagplatform-apache >> Loaded -1 rules. >> Rules error. File: t.conf. Line: 1. Column: 57. syntax error, unexpected Operator RX (content only) >> Test failed. >> >> There is no column 57. It's like it doesn't see the end of the lines, so it's concatenating. > > ModSecurity has a tendency to make mistakes when it counts numbers and lines. > I usually tweak around a dozen times until I am sure what line/column it is > complaining about. Yeah but comparing the first and second tests it seems pretty clear (EOF error) it's not actually even trying to parse the rule, it simply doesn't see the end of it. >> NOTE: SecRuleRemoveById works as expected in all tests and scenarios. > > Unfortunately, it does not. > > Here is my take on SecRuleRemoveById: > > # works > SecRuleRemoveById 930120 > SecRuleRemoveById 932160 > SecRuleRemoveById 930120-932160 > SecRuleRemoveById 1-932160 > > # fails to work properly > SecRuleRemoveById 930120,932160 > > # fails with parsing error > SecRuleRemoveById 99-932160 > > The latter is really odd, I think. OK, I've only tried excluding individual rules, showing that the general idea works. The tag variant doesn't seem to work at all - not even if I enable one from the OWASP example files. /Eirik |
