Re: [mod-security-users] ModSecurity 2.9.2 Rule Processing Order
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ModSecurity 2.9.2 Rule Processing Order
|
From: Christian F. <chr...@ne...> - 2018-12-12 14:01:35
|
On Wed, Dec 12, 2018 at 03:41:36PM +0200, Gryzli Bugbear wrote: > Actually it makes sense to work the way it does, it is my fault that I lived > with wrong assumptions for so long .. You're in good company. It's a widespread misconception. :) However, it's really important to get this right, otherwise, handling false positives won't work because you are always too early or too late. I have a cheatsheet for FP handling on netnea.com. It makes clear that some FP handling techniques need to be written before the rules, other need to be written after the rules in the config file. This is because of this rule order. Ahoj, Christian > > Thanks again ;) > > On 12/12/18 3:27 PM, Reindl Harald wrote: > > > > Am 12.12.18 um 14:21 schrieb Gryzli Bugbear: > > > Thanks for your reply Reindl! > > > > > > Could you tell me what do you mean by this: > > > > the rule-ids are in different ranges depedning of context > > > Just to make it clear - I'm using my own rules (not the CRS). > > > > > > Also I didn't find any section in the official documentation stating the > > > rule execution order (for a same phase) is actually based no the order > > > they are stored in config files, instead of the id > > in the past the rule-id wasn't mandatory at all, that changed a few > > years ago > > > > executing in id-order wouldn't be helpful > > > > have fun when you have SecRuleRemoveById like below which can also exist > > in a <VirtualHost> and need to change ordering > > > > <LocationMatch "^/whatever$"> > > SecRuleRemoveById 132 > > SecRuleRemoveById 152 > > SecRuleRemoveById 958086 > > SecRuleRemoveById 958087 > > SecRuleRemoveById 950107 > > </LocationMatch> > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > -- > -- Gryzli > > https://gryzli.info > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
