[mod-security-users] SecRuleUpdateActionById
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] SecRuleUpdateActionById
|
From: CM <ne...@pr...> - 2025-05-01 21:23:55
|
I previously added "noauditlog" to rule 920210 by editing REQUEST-920-PROTOCOL-ENFORCEMENT.conf (and modified some other rules similarly) but I'm tired of the file getting overwritten by upgrades, I want to be able to manage my rule modifications centrally
tried this first (too good to be true):
SecRuleUpdateActionById 920210 "noauditlog"
didn't work, I guess I'm overwriting everything that's there instead of just adding
so I copied everything from the rule (except ID and phase) and added "nolog" to it, ending up with this:
SecRuleUpdateActionById 920210 "block, noauditlog, t:none, msg:'Multiple/Conflicting Connection Header Data Found', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/3.3.5', severity:'WARNING', setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
that did sorta work but also it resulted in the anomaly score being applied twice, causing requests to be blocked that shouldn't have been
so I tried removing just the anomaly score thing:
SecRuleUpdateActionById 920210 "block, noauditlog, t:none, msg:'Multiple/Conflicting Connection Header Data Found', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/3.3.5', severity:'WARNING'"
and that does seem to work but do I really need all that?
what's the absolute minimum I can do here to add "noauditlog" without breaking functionality of the rule?
I also need to add "nolog" to rule 949110 and 980130, so what's the simplest possible SecRuleUpdateActionById that would do this without breaking them?
also I noticed I can't do this in my modsecurity.conf (because it's loaded before the rules), I had to put it in one of my Apache configurations that's loaded after the rules
any possible way to make modsecurity.conf process after the rules files are loaded so I can use SecRuleUpdateActionById in it instead of in my Apache configs?
apache2/mods-enabled/security2.conf contains the following:
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional /usr/share/modsecurity-crs/*.load
if I swapped the order of these, would it break anything?
Sent with [Proton Mail](https://proton.me/mail/home) secure email. |
