Re: [mod-security-users] SecRuleUpdateActionById
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SecRuleUpdateActionById
|
From: Franziska B. <fra...@gm...> - 2025-05-02 09:16:08
|
Hi! It's not a good idea to edit the rule files directly, as you've noticed. The following directive works for me if I add it AFTER the CRS rules include: SecRuleUpdateActionById 920210 "noauditlog". I've tested it. You can, for example, rename the file rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf and add the directive there. You can also use an include in your Apache config after the CRS rules include. Why do you need a nolog for 949110 and 980130? This will make you completely blind to which requests were blocked. Otherwise, you can probably achieve it with the same directive as above. Please also read our excellent documentation on these topics: https://coreruleset.org/docs/2-how-crs-works/2-3-false-positives-and-tuning/#directly-modifying-crs-rules https://coreruleset.org/docs/2-how-crs-works/2-3-false-positives-and-tuning/#rule-exclusions https://coreruleset.org/docs/2-how-crs-works/2-3-false-positives-and-tuning/#placement-of-rule-exclusions Best, Franziska, CRS Dev-on-Duty Am Do., 1. Mai 2025 um 23:27 Uhr schrieb CM via mod-security-users < mod...@li...>: > I previously added "noauditlog" to rule 920210 by editing REQUEST-920-PROTOCOL-ENFORCEMENT.conf > (and modified some other rules similarly) but I'm tired of the file getting > overwritten by upgrades, I want to be able to manage my rule modifications > centrally > > tried this first (too good to be true): > > SecRuleUpdateActionById 920210 "noauditlog" > > didn't work, I guess I'm overwriting everything that's there instead of > just adding > > so I copied everything from the rule (except ID and phase) and added > "nolog" to it, ending up with this: > > SecRuleUpdateActionById 920210 "block, noauditlog, t:none, > msg:'Multiple/Conflicting Connection Header Data Found', > logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', > tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', > tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/3.3.5', > severity:'WARNING', > setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" > > that did sorta work but also it resulted in the anomaly score being > applied twice, causing requests to be blocked that shouldn't have been > > so I tried removing just the anomaly score thing: > > SecRuleUpdateActionById 920210 "block, noauditlog, t:none, > msg:'Multiple/Conflicting Connection Header Data Found', > logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', > tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', > tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/3.3.5', > severity:'WARNING'" > > and that does seem to work but do I really need all that? > > what's the absolute minimum I can do here to add "noauditlog" without > breaking functionality of the rule? > > I also need to add "nolog" to rule 949110 and 980130, so what's the > simplest possible SecRuleUpdateActionById that would do this without > breaking them? > > also I noticed I can't do this in my modsecurity.conf (because it's > loaded before the rules), I had to put it in one of my Apache > configurations that's loaded after the rules > > any possible way to make modsecurity.conf process after the rules files > are loaded so I can use SecRuleUpdateActionById in it instead of in my > Apache configs? > > apache2/mods-enabled/security2.conf contains the following: > > IncludeOptional /etc/modsecurity/*.conf > IncludeOptional /usr/share/modsecurity-crs/*.load > > if I swapped the order of these, would it break anything? > > Sent with Proton Mail <https://proton.me/mail/home> secure email. > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
