Thread: [mod-security-users] ModSecurity 2.9.2 Rule Processing Order
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Gryzli B. <gry...@gm...> - 2018-12-12 13:02:18
|
Hi to all, Recently I found something weird for me - rules executing in the same phase , are executed not by their ID numbers, but rather based on appereance in the configuration file. Is that a correct behavior for ModSecurity ? Regards, -- -- Gryzli https://gryzli.info |
|
From: Reindl H. <h.r...@th...> - 2018-12-12 13:08:16
|
Am 12.12.18 um 14:02 schrieb Gryzli Bugbear: > Hi to all, > > Recently I found something weird for me - rules executing in the same > phase , are executed not by their ID numbers, but rather based on > appereance in the configuration file. > > Is that a correct behavior for ModSecurity ? yes the rule-ids are in different ranges depedning of context and it would not make any sense execute them in the order of the id's at all |
|
From: Davy G. <da...@ya...> - 2018-12-14 13:58:10
|
Hi to all, I wonder if you actually create custom rule for mod security for example to prevent piggy tail sqlia only. Is that possible? Davy Dikirim dari Yahoo Mail di Android Pada Rab, 12 Des 2018 pada 20:09, Reindl Harald<h.r...@th...> menulis: Am 12.12.18 um 14:02 schrieb Gryzli Bugbear: > Hi to all, > > Recently I found something weird for me - rules executing in the same > phase , are executed not by their ID numbers, but rather based on > appereance in the configuration file. > > Is that a correct behavior for ModSecurity ? yes the rule-ids are in different ranges depedning of context and it would not make any sense execute them in the order of the id's at all _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Gryzli B. <gry...@gm...> - 2018-12-12 13:22:01
|
Thanks for your reply Reindl! Could you tell me what do you mean by this: > the rule-ids are in different ranges depedning of context Just to make it clear - I'm using my own rules (not the CRS). Also I didn't find any section in the official documentation stating the rule execution order (for a same phase) is actually based no the order they are stored in config files, instead of the id. On 12/12/18 3:07 PM, Reindl Harald wrote: > > Am 12.12.18 um 14:02 schrieb Gryzli Bugbear: >> Hi to all, >> >> Recently I found something weird for me - rules executing in the same >> phase , are executed not by their ID numbers, but rather based on >> appereance in the configuration file. >> >> Is that a correct behavior for ModSecurity ? > yes > > the rule-ids are in different ranges depedning of context and it would > not make any sense execute them in the order of the id's at all > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- -- Gryzli https://gryzli.info |
|
From: Reindl H. <h.r...@th...> - 2018-12-12 13:27:49
|
Am 12.12.18 um 14:21 schrieb Gryzli Bugbear: > Thanks for your reply Reindl! > > Could you tell me what do you mean by this: >> the rule-ids are in different ranges depedning of context > > Just to make it clear - I'm using my own rules (not the CRS). > > Also I didn't find any section in the official documentation stating the > rule execution order (for a same phase) is actually based no the order > they are stored in config files, instead of the id in the past the rule-id wasn't mandatory at all, that changed a few years ago executing in id-order wouldn't be helpful have fun when you have SecRuleRemoveById like below which can also exist in a <VirtualHost> and need to change ordering <LocationMatch "^/whatever$"> SecRuleRemoveById 132 SecRuleRemoveById 152 SecRuleRemoveById 958086 SecRuleRemoveById 958087 SecRuleRemoveById 950107 </LocationMatch> |
|
From: Gryzli B. <gry...@gm...> - 2018-12-12 13:41:46
|
Actually it makes sense to work the way it does, it is my fault that I lived with wrong assumptions for so long .. Thanks again ;) On 12/12/18 3:27 PM, Reindl Harald wrote: > > Am 12.12.18 um 14:21 schrieb Gryzli Bugbear: >> Thanks for your reply Reindl! >> >> Could you tell me what do you mean by this: >>> the rule-ids are in different ranges depedning of context >> Just to make it clear - I'm using my own rules (not the CRS). >> >> Also I didn't find any section in the official documentation stating the >> rule execution order (for a same phase) is actually based no the order >> they are stored in config files, instead of the id > in the past the rule-id wasn't mandatory at all, that changed a few > years ago > > executing in id-order wouldn't be helpful > > have fun when you have SecRuleRemoveById like below which can also exist > in a <VirtualHost> and need to change ordering > > <LocationMatch "^/whatever$"> > SecRuleRemoveById 132 > SecRuleRemoveById 152 > SecRuleRemoveById 958086 > SecRuleRemoveById 958087 > SecRuleRemoveById 950107 > </LocationMatch> > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- -- Gryzli https://gryzli.info |
|
From: Christian F. <chr...@ne...> - 2018-12-12 14:01:35
|
On Wed, Dec 12, 2018 at 03:41:36PM +0200, Gryzli Bugbear wrote: > Actually it makes sense to work the way it does, it is my fault that I lived > with wrong assumptions for so long .. You're in good company. It's a widespread misconception. :) However, it's really important to get this right, otherwise, handling false positives won't work because you are always too early or too late. I have a cheatsheet for FP handling on netnea.com. It makes clear that some FP handling techniques need to be written before the rules, other need to be written after the rules in the config file. This is because of this rule order. Ahoj, Christian > > Thanks again ;) > > On 12/12/18 3:27 PM, Reindl Harald wrote: > > > > Am 12.12.18 um 14:21 schrieb Gryzli Bugbear: > > > Thanks for your reply Reindl! > > > > > > Could you tell me what do you mean by this: > > > > the rule-ids are in different ranges depedning of context > > > Just to make it clear - I'm using my own rules (not the CRS). > > > > > > Also I didn't find any section in the official documentation stating the > > > rule execution order (for a same phase) is actually based no the order > > > they are stored in config files, instead of the id > > in the past the rule-id wasn't mandatory at all, that changed a few > > years ago > > > > executing in id-order wouldn't be helpful > > > > have fun when you have SecRuleRemoveById like below which can also exist > > in a <VirtualHost> and need to change ordering > > > > <LocationMatch "^/whatever$"> > > SecRuleRemoveById 132 > > SecRuleRemoveById 152 > > SecRuleRemoveById 958086 > > SecRuleRemoveById 958087 > > SecRuleRemoveById 950107 > > </LocationMatch> > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > -- > -- Gryzli > > https://gryzli.info > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
Thanks for helping keep SourceForge clean.
X