Re: [mod-security-users] Possible to remove rules by multiple tags?

[Jamie B. <ja...@ib...>]

OK, thank you. Is there a particular strategy or best practise for dealing with new untested rules that are added to the CRS?

I'm thinking if you have tuned the rules, are running at PL2 and new ones are added in an update. It seems that any new rules would need to be identified and carefully managed in an existing setup, short of putting the whole install back in detection only mode and remonitoring.

Thanks
Jamie

> On 17 Jun 2020, at 05:37, Christian Folini <chr...@ne...> wrote:
> 
> Hello Jamie,
> 
> I have never throught about this, but it sounds like a cool idea.
> 
> Unfortunately, it is not possible.
> 
>> On Tue, Jun 16, 2020 at 11:34:53PM +0100, Jamie Burchell wrote:
>> of rules should not be at PL2. I was looking at doing this by ID range
>> instead, but the IDs don’t seem facilitate ranges based on PL.
> 
> The ids and the PL have no connection, that's correct.
> 
> (And they can't since we are adding new rules from time to time and the
> concept of strict siblings would no longer work the way it does with the
> ID namespace)
> 
> Ahoj,
> 
> Christian
> 
>> 
>> 
>> 
>> Regards,
>> 
>> Jamie
> 
> 
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
> 
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/