Modsecurity: CRS and v3 incompatibility due to ruleRemoveByTag

Created on 20 May 2019  路  10Comments  路  Source: SpiderLabs/ModSecurity

Hi all,

it seems that we've a compatibility problem with CRS and v3 due to missing ctl:ruleRemoveTargetByTag and ctl:ruleRemoveByTag. Can you confirm the following two issues?

If yes, is there a plan on when they will be implemented on v3?

thank you!

3.x duplicate pr available workaround available

Most helpful comment

Okay, the ruleRemoveById issue had been cleared :).

Here is a possible solution for ruleRemoveByTag:
https://github.com/airween/ModSecurity/tree/v3/issue2099
https://github.com/SpiderLabs/ModSecurity/compare/v3/master...airween:v3/issue2099

Please check that if works as well or you found any other problem (only with ruleRemoveByTag ctl action).

I'll continue with the ruleRemoveTargetByTag investigation.

All 10 comments

additional bit: it seems that ctl:ruleRemoveById works only if the first argument is an id and not a range, example:

  • ctl:ruleRemoveById=1234 work
  • ctl:ruleRemoveById=900000-999999 doesn't work (used in some CRS exclusion rule files)

thanks.

all problems seems to be related just to ctl:ruleRemoveTargetByTag and ctl:ruleRemoveByTag (thanks @airween). I'm trying to understand why some of my exclusion rules that use ranges in ctl:ruleRemoveById doesn't work as expected on v3.

Okay, the ruleRemoveById issue had been cleared :).

Here is a possible solution for ruleRemoveByTag:
https://github.com/airween/ModSecurity/tree/v3/issue2099
https://github.com/SpiderLabs/ModSecurity/compare/v3/master...airween:v3/issue2099

Please check that if works as well or you found any other problem (only with ruleRemoveByTag ctl action).

I'll continue with the ruleRemoveTargetByTag investigation.

Thank you @airween

after testing your patch it seems that all works like a charm! Maybe I've tested ctl: ruleRemoveTargetByTag with a buggy rule because it works too!

thank you so much for your support, as always!

Hi @theMiddleBlue,

The issue within ctl:ruleRemoveByTag is indeed confirmed. There was a missing check on the rules execution loop. @airween provided a pull request on #2102, which is under revision; Waiting for @airween appreciation.

Did not managed yet to reproduce the issue within ctl:ruleRemoveTargetByTag. Do you mind to clarify the version of ModSecurity that you have been spotted the problem at?

Thank you for the report.

Hi @zimmerle

thanks for taking the time to evaluate this problem. After doing some test with @airween, it turns out that ctl:ruleRemoveTargetByTag is working as expected. Maybe I've wrong something during my tests, sorry.

@theMiddleBlue - thanks for summary. Could you clarify that you're using version 3.0 of ModSecurity?

Yes, sorry: ModSecurity - v3.0.3-62-gd292a852 for Linux

Thank you @theMiddleBlue and @airween. #2102 was merged therefore this issue can be considered closed. Let me know if you face any further issue.

We don't have an ETA for the release yet. Likely this became 3.1 due to the lack of resources to make two different releases.

Was this page helpful?
0 / 5 - 0 ratings