Re: [mod-security-users] Possible to remove rules by multiple tags?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Possible to remove rules by multiple tags?
|
From: Ervin H. <ai...@gm...> - 2020-06-17 10:38:38
|
you're welcome - note, the list has been from CRS 3.3/dev, @c11baa.
Regards,
a.
On Wed, Jun 17, 2020 at 12:07 PM Jamie Burchell <ja...@ib...> wrote:
> Hi
>
> That's really useful, thank you.
>
> Cheers
> Jamie
>
> On 17 Jun 2020, at 10:58, Ervin Hegedüs <ai...@gm...> wrote:
>
>
> Hi Jamie,
>
> as Christian wrote there isn't any solution to remove a rule by multiple
> tags.
>
> But there is an indirect solution: you can find all rules where the listed
> tags exists.
>
> There is a small tool, named msc_pyparser[1]. This Python library can
> parse CRS rules and makes the AST (abstract syntax tree) in YAML or JSON
> format.
>
> I attached a Python script which loads these rules and search all id where
> the tags above listed. Before you run, you have to install that Python
> library (it works only with Python3), it's available through PIP. First,
> you have to build the AST files, then run script for each file, like:
>
> for y in `ls -1 export/*.yaml`; do ./crs_gettags.py ${y}; done
>
> and you'll see something like this:
>
> SecRuleRemoveById 942110
> SecRuleRemoveById 942120
> SecRuleRemoveById 942130
> SecRuleRemoveById 942150
> SecRuleRemoveById 942180
> SecRuleRemoveById 942200
> SecRuleRemoveById 942210
> SecRuleRemoveById 942260
> SecRuleRemoveById 942300
> SecRuleRemoveById 942310
> SecRuleRemoveById 942330
> SecRuleRemoveById 942340
> SecRuleRemoveById 942361
> SecRuleRemoveById 942370
> SecRuleRemoveById 942380
> SecRuleRemoveById 942390
> SecRuleRemoveById 942400
> SecRuleRemoveById 942410
> SecRuleRemoveById 942470
> SecRuleRemoveById 942480
> SecRuleRemoveById 942430
> SecRuleRemoveById 942440
> SecRuleRemoveById 942450
> SecRuleRemoveById 942510
>
> Just paste these lines into your exceptions, and hope that will give you
> what you want.
>
>
> Regards,
>
>
> a.
>
>
> [1]: https://github.com/digitalwave/msc_pyparser
>
>
>
>
> On Wed, Jun 17, 2020 at 1:01 AM Jamie Burchell <ja...@ib...> wrote:
>
>> Hi
>>
>>
>>
>> Is it possible to remove rules by more than one tag? For example, remove
>> all “paranoia-level/2” “attack-sqli” CRS rules.
>>
>>
>>
>> This would be useful in situations where PL2 is in use, but certain
>> groups of rules should not be at PL2. I was looking at doing this by ID
>> range instead, but the IDs don’t seem facilitate ranges based on PL.
>>
>>
>>
>> Regards,
>>
>> Jamie
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
> <crs_gettags.py>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
