Re: [mod-security-users] Possible to remove rules by multiple tags?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Possible to remove rules by multiple tags?
|
From: Jamie B. <ja...@ib...> - 2020-06-17 10:05:42
|
Hi
That's really useful, thank you.
Cheers
Jamie
> On 17 Jun 2020, at 10:58, Ervin Hegedüs <ai...@gm...> wrote:
>
>
> Hi Jamie,
>
> as Christian wrote there isn't any solution to remove a rule by multiple tags.
>
> But there is an indirect solution: you can find all rules where the listed tags exists.
>
> There is a small tool, named msc_pyparser[1]. This Python library can parse CRS rules and makes the AST (abstract syntax tree) in YAML or JSON format.
>
> I attached a Python script which loads these rules and search all id where the tags above listed. Before you run, you have to install that Python library (it works only with Python3), it's available through PIP. First, you have to build the AST files, then run script for each file, like:
>
> for y in `ls -1 export/*.yaml`; do ./crs_gettags.py ${y}; done
>
> and you'll see something like this:
>
> SecRuleRemoveById 942110
> SecRuleRemoveById 942120
> SecRuleRemoveById 942130
> SecRuleRemoveById 942150
> SecRuleRemoveById 942180
> SecRuleRemoveById 942200
> SecRuleRemoveById 942210
> SecRuleRemoveById 942260
> SecRuleRemoveById 942300
> SecRuleRemoveById 942310
> SecRuleRemoveById 942330
> SecRuleRemoveById 942340
> SecRuleRemoveById 942361
> SecRuleRemoveById 942370
> SecRuleRemoveById 942380
> SecRuleRemoveById 942390
> SecRuleRemoveById 942400
> SecRuleRemoveById 942410
> SecRuleRemoveById 942470
> SecRuleRemoveById 942480
> SecRuleRemoveById 942430
> SecRuleRemoveById 942440
> SecRuleRemoveById 942450
> SecRuleRemoveById 942510
>
> Just paste these lines into your exceptions, and hope that will give you what you want.
>
>
> Regards,
>
>
> a.
>
>
> [1]: https://github.com/digitalwave/msc_pyparser
>
>
>
>
>> On Wed, Jun 17, 2020 at 1:01 AM Jamie Burchell <ja...@ib...> wrote:
>> Hi
>>
>>
>>
>> Is it possible to remove rules by more than one tag? For example, remove all “paranoia-level/2” “attack-sqli” CRS rules.
>>
>>
>>
>> This would be useful in situations where PL2 is in use, but certain groups of rules should not be at PL2. I was looking at doing this by ID range instead, but the IDs don’t seem facilitate ranges based on PL.
>>
>>
>>
>> Regards,
>>
>> Jamie
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>
> <crs_gettags.py>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
