Re: [mod-security-users] Possible to remove rules by multiple tags?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

This is quite neat, Ervin! Thanks for sharing.

Christian

On Wed, Jun 17, 2020 at 11:55:19AM +0200, Ervin Hegedüs wrote:
> Hi Jamie,
> 
> as Christian wrote there isn't any solution to remove a rule by multiple
> tags.
> 
> But there is an indirect solution: you can find all rules where the listed
> tags exists.
> 
> There is a small tool, named msc_pyparser[1]. This Python library can parse
> CRS rules and makes the AST (abstract syntax tree) in YAML or JSON format.
> 
> I attached a Python script which loads these rules and search all id where
> the tags above listed. Before you run, you have to install that Python
> library (it works only with Python3), it's available through PIP. First,
> you have to build the AST files, then run script for each file, like:
> 
> for y in `ls -1 export/*.yaml`; do ./crs_gettags.py ${y}; done
> 
> and you'll see something like this:
> 
> SecRuleRemoveById 942110
> SecRuleRemoveById 942120
> SecRuleRemoveById 942130
> SecRuleRemoveById 942150
> SecRuleRemoveById 942180
> SecRuleRemoveById 942200
> SecRuleRemoveById 942210
> SecRuleRemoveById 942260
> SecRuleRemoveById 942300
> SecRuleRemoveById 942310
> SecRuleRemoveById 942330
> SecRuleRemoveById 942340
> SecRuleRemoveById 942361
> SecRuleRemoveById 942370
> SecRuleRemoveById 942380
> SecRuleRemoveById 942390
> SecRuleRemoveById 942400
> SecRuleRemoveById 942410
> SecRuleRemoveById 942470
> SecRuleRemoveById 942480
> SecRuleRemoveById 942430
> SecRuleRemoveById 942440
> SecRuleRemoveById 942450
> SecRuleRemoveById 942510
> 
> Just paste these lines into your exceptions, and hope that will give you
> what you want.
> 
> 
> Regards,
> 
> 
> a.
> 
> 
> [1]: https://github.com/digitalwave/msc_pyparser
> 
> 
> 
> 
> On Wed, Jun 17, 2020 at 1:01 AM Jamie Burchell <ja...@ib...> wrote:
> 
> > Hi
> >
> >
> >
> > Is it possible to remove rules by more than one tag? For example, remove
> > all “paranoia-level/2” “attack-sqli” CRS rules.
> >
> >
> >
> > This would be useful in situations where PL2 is in use, but certain groups
> > of rules should not be at PL2. I was looking at doing this by ID range
> > instead, but the IDs don’t seem facilitate ranges based on PL.
> >
> >
> >
> > Regards,
> >
> > Jamie
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >

> #!/usr/bin/env python3
> 
> import sys
> import yaml
> 
> class Transform(object):
>     def __init__(self, data):
>         self.data = data
>         self.lineno = 1
>         self.current_ruleid = 0
>         self.chained = False
>         self.chainlevel = 0
> 
>     def gettag(self):
>         tags = []
>         for d in self.data:
>             if "actions" in d:
>                 aidx = 0
>                 if self.chained == True:
>                     self.chained = False
>                 while aidx < len(d['actions']):
>                     a = d['actions'][aidx]
> 
>                     if a['act_name'] == "tag":
>                         tags.append(a['act_arg'])
> 
>                     if a['act_name'] == "id":
>                         self.current_ruleid = int(a['act_arg'])
> 
>                     if a['act_name'] == "chain":
>                         self.chained = True
>                         self.chainlevel += 1
>                     aidx += 1
> 
>                 if self.chained == False:
>                     if "paranoia-level/2" in tags and "attack-sqli" in tags:
>                         print("SecRuleRemoveById %d" % (self.current_ruleid))
>                     self.current_ruleid = 0
>                     tags = []
> 
> 
> 
> if __name__ == "__main__":
>     if len(sys.argv) < 2:
>         print("Argument missing!")
>         print("Use: %s input" % (sys.argv[0]))
>         sys.exit(-1)
> 
>     fname = sys.argv[1]
>     try:
>         with open(fname, 'r') as inputfile:
>             if yaml.__version__ >= "5.1":
>                 data = yaml.load(inputfile, Loader=yaml.FullLoader)
>             else:
>                 data = yaml.load(inputfile)
>     except:
>         print("Can't open file: %s" % (fname))
>         sys.exit()
> 
>     t = Transform(data)
>     t.gettag()
> 

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/