Re: [mod-security-users] Possible to remove rules by multiple tags?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Possible to remove rules by multiple tags?
|
From: Ervin H. <ai...@gm...> - 2020-06-17 09:56:03
|
Hi Jamie,
as Christian wrote there isn't any solution to remove a rule by multiple
tags.
But there is an indirect solution: you can find all rules where the listed
tags exists.
There is a small tool, named msc_pyparser[1]. This Python library can parse
CRS rules and makes the AST (abstract syntax tree) in YAML or JSON format.
I attached a Python script which loads these rules and search all id where
the tags above listed. Before you run, you have to install that Python
library (it works only with Python3), it's available through PIP. First,
you have to build the AST files, then run script for each file, like:
for y in `ls -1 export/*.yaml`; do ./crs_gettags.py ${y}; done
and you'll see something like this:
SecRuleRemoveById 942110
SecRuleRemoveById 942120
SecRuleRemoveById 942130
SecRuleRemoveById 942150
SecRuleRemoveById 942180
SecRuleRemoveById 942200
SecRuleRemoveById 942210
SecRuleRemoveById 942260
SecRuleRemoveById 942300
SecRuleRemoveById 942310
SecRuleRemoveById 942330
SecRuleRemoveById 942340
SecRuleRemoveById 942361
SecRuleRemoveById 942370
SecRuleRemoveById 942380
SecRuleRemoveById 942390
SecRuleRemoveById 942400
SecRuleRemoveById 942410
SecRuleRemoveById 942470
SecRuleRemoveById 942480
SecRuleRemoveById 942430
SecRuleRemoveById 942440
SecRuleRemoveById 942450
SecRuleRemoveById 942510
Just paste these lines into your exceptions, and hope that will give you
what you want.
Regards,
a.
[1]: https://github.com/digitalwave/msc_pyparser
On Wed, Jun 17, 2020 at 1:01 AM Jamie Burchell <ja...@ib...> wrote:
> Hi
>
>
>
> Is it possible to remove rules by more than one tag? For example, remove
> all “paranoia-level/2” “attack-sqli” CRS rules.
>
>
>
> This would be useful in situations where PL2 is in use, but certain groups
> of rules should not be at PL2. I was looking at doing this by ID range
> instead, but the IDs don’t seem facilitate ranges based on PL.
>
>
>
> Regards,
>
> Jamie
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
