Introduce proper IDs to all rules.

This is required for ModSecurity 2.7; the 430000-439999 range is
reserved for me, and I added a script that verifies all rules have an
id, that all the ids are unique, and that they are in the valid range.

optional/flameeyes_no_php.conf

@@ -7,8 +7,8 @@
 # desruptive.
 
 SecRule REQUEST_URI "@endsWith .php" \
-        "t:lowercase,phase:2,chain,msg:'%{REMOTE_ADDR} is trying to post to a non-existent PHP script',setvar:ip.blacklisted=1,expirevar:ip.blacklisted=%{TX.IP_EXPIRATION},deny,status:403"
+        "id:430090,t:lowercase,phase:2,chain,msg:'%{REMOTE_ADDR} is trying to post to a non-existent PHP script',setvar:ip.blacklisted=1,expirevar:ip.blacklisted=%{TX.IP_EXPIRATION},deny,status:403"
 SecRule REQUEST_METHOD "!@pm get head"
 
 SecRule REQUEST_URI "@endsWith .php" \
-        "t:lowercase,phase:2,deny,status:404"
+        "id:430091,t:lowercase,phase:2,deny,status:404"

optional/flameeyes_static_website.conf

@@ -4,4 +4,4 @@
 
 # When serving a static website, you should only accept GET and HEAD
 # requests, ignoring POST and similar.
-SecRule REQUEST_METHOD "!@pm get head" "t:lowercase,phase:2,deny,status:405"
+SecRule REQUEST_METHOD "!@pm get head" "id:430080,t:lowercase,phase:2,deny,status:405"

rules/flameeyes_00_settings.conf

@@ -9,6 +9,6 @@ SecAction "phase:1,t:none,nolog,setvar:tx.ip_expiration=259200,pass"
 # Since Amazon EC2 users will use dynamic IP addresses, there is no
 # reason to cache tests for a whole week. Instead do hourly checks
 # about them.
-SecRule REMOTE_HOST "@endsWith .amazonaws.com" "setvar:tx.ip_expiration=3600,nolog"
+SecRule REMOTE_HOST "@endsWith .amazonaws.com" "id:430000,setvar:tx.ip_expiration=3600,nolog"
 
 SecComponentSignature "Flameeyes's Ruleset for ModSecurity"

rules/flameeyes_05_proxy.conf

@@ -18,56 +18,56 @@
 # FreeBSD).
 
 SecRule &REQUEST_HEADERS:Via "@gt 0" \
-	"phase:2,setvar:ip.flameeyes_is_proxy=1,expirevar:ip.flameeyes_is_proxy=%{TX.IP_EXPIRATION},id:flameeyes-301,nolog"
+	"id:430500,phase:2,setvar:ip.flameeyes_is_proxy=1,expirevar:ip.flameeyes_is_proxy=%{TX.IP_EXPIRATION},nolog"
 
 # BlueCoat is a hardware firewall/proxy device. While it does not send
 # a Via header, it sends its own variation, which makes it easy to
 # detect.
 SecRule &REQUEST_HEADERS:X-BlueCoat-Via "@gt 0" \
-	"phase:2,setvar:ip.flameeyes_is_proxy=1,expirevar:ip.flameeyes_is_proxy=%{TX.IP_EXPIRATION},id:flameeyes-301a,nolog"
+	"id:430510,phase:2,setvar:ip.flameeyes_is_proxy=1,expirevar:ip.flameeyes_is_proxy=%{TX.IP_EXPIRATION},nolog"
 
 # Ignore GET and HEAD requests, as they shouldn't allow posting
 # anything at all, and this reduces the load on the checks.
-SecRule REQUEST_METHOD "@pm get head" "phase:2,t:lowercase,skipAfter:FLAMEEYES_END_PROXY,nolog"
+SecRule REQUEST_METHOD "@pm get head" "id:430520,phase:2,t:lowercase,skipAfter:FLAMEEYES_END_PROXY,nolog"
 
-SecRule IP:FLAMEEYES_IS_OPENPROXY "@eq 1" "nolog,skipAfter:FLAMEEYES_PROXY_REQUEST"
+SecRule IP:FLAMEEYES_IS_OPENPROXY "@eq 1" "id:430530,nolog,skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_HOST "@endsWith .anonymouse.org" \
-	"phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'Request coming through Anonymouse service',skipAfter:FLAMEEYES_PROXY_REQUEST"
+	"id:430531,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'Request coming through Anonymouse service',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl http.dnsbl.sorbs.net" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430532,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl socks.dnsbl.sorbs.net" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430533,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl misc.dnsbl.sorbs.net" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430534,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl dnsbl.proxybl.org" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430535,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl dnsbl.dronebl.org" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430536,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl list.blogspambl.com" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430537,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl cbl.abuseat.org" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430538,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl dnsbl.tornevall.org" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430539,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl rbl.efnetrbl.org" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430540,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecRule REMOTE_ADDR "@rbl dnsbl.swiftbl.org" \
-        "phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+        "id:430541,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
 
 SecMarker FLAMEEYES_PROXY_REQUEST
 
 SecRule IP:FLAMEEYES_IS_OPENPROXY "@eq 1" \
-          "phase:2,msg:'%{REQUEST_METHOD} request through open proxy',deny,status:403"
+          "id:430599,phase:2,msg:'%{REQUEST_METHOD} request through open proxy',deny,status:403"
 
 SecMarker FLAMEEYES_END_PROXY

rules/flameeyes_07_malware.conf

@@ -16,4 +16,4 @@
 # situation here, and apply it later.
 
 SecRule REQUEST_HEADERS:User-Agent '@pmFromFile flameeyes_malware_signatures.data' \
-	"phase:1,t:lowercase,msg:'Identified malware signatures: %{REQUEST_HEADERS.User-Agent}',setvar:tx.infected=1"
+	"id:430700,phase:1,t:lowercase,msg:'Identified malware signatures: %{REQUEST_HEADERS.User-Agent}',setvar:tx.infected=1"

rules/flameeyes_10_robots.conf

@@ -6,27 +6,27 @@
 # marketing and malicious bots. Some of these are already listed by
 # the Core Rule Set but they are not considered fatal
 SecRule REQUEST_HEADERS:User-Agent "@pmFromFile flameeyes_bad_robots.data" \
-	"phase:2,t:lowercase,deny,status:403,msg:'Bad crawler %{REQUEST_HEADERS.User-Agent}',id:flameeyes-1"
+	"id:431000,phase:2,t:lowercase,deny,status:403,msg:'Bad crawler %{REQUEST_HEADERS.User-Agent}'"
 
 # Some robots are difficult to match with the pattern because they
 # don't provide long-enough User-Agent headers. Use a regexp for
 # those.
 SecRule REQUEST_HEADERS:User-Agent "(?:^(?:obot|bah|ning)$)" \
-        "phase:2,t:lowercase,deny,status:403,msg:'Bad crawler %{REQUEST_HEADERS.User-Agent}',id:flameeyes-1a"
+        "id:431010,phase:2,t:lowercase,deny,status:403,msg:'Bad crawler %{REQUEST_HEADERS.User-Agent}'"
 
 # Some marketing firms crawl from a proper FcRDNS domain, since they
 # might change the name of their bot, or hide it altogether, but they
 # aren't likely to change their FcRDNS, this should help us avoiding
 # them.
 SecRule REMOTE_HOST "@pmFromFile flameeyes_bad_firms.data" \
-        "phase:2,t:lowercase,deny,status:403,msg:'Crawler %{REQUEST_HEADERS:User-Agent} is coming from a blacklisted firm domain.'"
+        "id:431020,phase:2,t:lowercase,deny,status:403,msg:'Crawler %{REQUEST_HEADERS:User-Agent} is coming from a blacklisted firm domain.'"
 
 # Some bots don't really request robots.txt, because they act only on
 # user requests, but are not malicious per-se. On the other hand,
 # until they actually learn to use Accept-Encoding, they are better
 # listed here so that they can be told to stay away.
 SecRule REQUEST_HEADERS:User-Agent "@pmFromFile flameeyes_stealth_robots.data" \
-        "phase:2,setvar:ip.is_robot=1,expirevar:ip.is_robot=%{TX.IP_EXPIRATION},nolog"
+        "id:431030,phase:2,setvar:ip.is_robot=1,expirevar:ip.is_robot=%{TX.IP_EXPIRATION},nolog"
 
 # Check for robots that don't use Accept-Encoding to receive
 # compressed responses; we expect that at least one between deflate
@@ -35,15 +35,15 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile flameeyes_stealth_robots.data" \
 #
 # http://blog.flameeyes.eu/2010/10/03/size-matters-for-crawlers-too
 SecRule REQUEST_URI "@streq /robots.txt" \
-	"phase:2,pass,setvar:ip.is_robot=1,expirevar:ip.is_robot=%{TX.IP_EXPIRATION},skipAfter:END_ROBOT_CHECKS,noauditlog"
+	"id:431040,phase:2,pass,setvar:ip.is_robot=1,expirevar:ip.is_robot=%{TX.IP_EXPIRATION},skipAfter:END_ROBOT_CHECKS,noauditlog"
 
 SecRule REQUEST_HEADERS:Accept-Encoding "@pm deflate gzip" \
-        "phase:2,t:lowercase,skipAfter:END_ROBOT_CHECKS,nolog"
+        "id:431050,phase:2,t:lowercase,skipAfter:END_ROBOT_CHECKS,nolog"
 
 SecRule REQUEST_METHOD "@pm head options" \
-        "phase:2,t:lowercase,skipAfter:END_ROBOT_CHECKS,nolog"
+        "id:431060,phase:2,t:lowercase,skipAfter:END_ROBOT_CHECKS,nolog"
 
 SecRule IP:IS_ROBOT "@eq 1" \
-	"phase:2,deny,status:406,msg:'Robot at %{REMOTE_ADDR} is not supporting compressed responses',log,noauditlog"
+	"id:431070,phase:2,deny,status:406,msg:'Robot at %{REMOTE_ADDR} is not supporting compressed responses',log,noauditlog"
 
 SecMarker END_ROBOT_CHECKS

rules/flameeyes_15_robots_validation.conf

@@ -43,57 +43,57 @@
 #   http://googlewebmastercentral.blogspot.com/2006/09/how-to-verify-googlebot.html
 
 SecRule REQUEST_HEADERS:User-Agent "@contains googlebot" \
-	"t:lowercase,chain,deny,status:403,msg:'Fake Googlebot crawler.',phase:2"
+	"id:431500,t:lowercase,chain,deny,status:403,msg:'Fake Googlebot crawler.',phase:2"
 SecRule REMOTE_HOST "!@endsWith .googlebot.com"
 
 SecRule REQUEST_HEADERS:User-Agent "@pm msnbot bingbot" \
-	"t:lowercase,chain,deny,status:403,msg:'Fake msnbot/bingbot crawler.',phase:2"
+	"id:431501,t:lowercase,chain,deny,status:403,msg:'Fake msnbot/bingbot crawler.',phase:2"
 SecRule REMOTE_HOST "!msnbot-\d+-\d+-\d+-\d+\.search\.msn\.com"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains yahoo! slurp" \
-	"t:lowercase,chain,deny,status:403,msg:'Fake Yahoo! Slurp crawler.',phase:2"
+	"id:431502,t:lowercase,chain,deny,status:403,msg:'Fake Yahoo! Slurp crawler.',phase:2"
 SecRule REMOTE_HOST "!@endsWith .crawl.yahoo.net"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains yahoo pipes" \
-	"t:lowercase,chain,deny,status:403,msg:'Fake Yahoo Pipes crawler.',phase:2"
+	"id:431503,t:lowercase,chain,deny,status:403,msg:'Fake Yahoo Pipes crawler.',phase:2"
 SecRule REMOTE_HOST "!\.yahoo\.(?:com|net)$"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains yeti/" \
-	"t:lowercase,chain,deny,status:403,msg:'Fake Yeti crawler.',phase:2"
+	"id:431504,t:lowercase,chain,deny,status:403,msg:'Fake Yeti crawler.',phase:2"
 SecRule REMOTE_HOST "!^crawl-\d+-\d+-\d+-\d+\.naver\.jp$"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains hailoobot" \
-        "t:lowercase,chain,deny,status:403,msg:'Fake Hailoobot crawler.',phase:2"
+        "id:431505,t:lowercase,chain,deny,status:403,msg:'Fake Hailoobot crawler.',phase:2"
 SecRule REMOTE_HOST "!@eq webcrawler.hailoo.com"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains technoratibot/" \
-        "t:lowercase,chain,deny,status:403,msg:'Fake Technoratibot crawler.',phase:2"
+        "id:431506,t:lowercase,chain,deny,status:403,msg:'Fake Technoratibot crawler.',phase:2"
 SecRule REMOTE_HOST "!@eq crawler.technorati.com"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains friendfeedbot/" \
-        "t:lowercase,chain,deny,status:403,msg:'Fake FriendFeed crawler.',phase:2"
+        "id:431507,t:lowercase,chain,deny,status:403,msg:'Fake FriendFeed crawler.',phase:2"
 SecRule REMOTE_HOST "!@endsWith .facebook.com"
 
 SecRule REQUEST_HEADERS:User-Agent "yandex(?:bot|images)" \
-        "t:lowercase,chain,deny,status:403,msg:'Fake Yandex crawler.',phase:2"
+        "id:431508,t:lowercase,chain,deny,status:403,msg:'Fake Yandex crawler.',phase:2"
 SecRule REMOTE_HOST "!@endsWith .yandex.(ru|com)"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains netvibes" \
-        "t:lowercase,chain,deny,status:403,msg:'Fake Netvibes crawler.',phase:2"
+        "id:431509,t:lowercase,chain,deny,status:403,msg:'Fake Netvibes crawler.',phase:2"
 SecRule REMOTE_HOST "!@endsWith .netvibes.com"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains bloglines/" \
-	"t:lowercase,chain,deny,status:403,msg:'Fake Bloglines crawler.',phase:2"
+	"id:431510,t:lowercase,chain,deny,status:403,msg:'Fake Bloglines crawler.',phase:2"
 SecRule REMOTE_HOST "@streq crawler.bloglines.com"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains gist server" \
-	"t:lowercase,chain,deny,status:403,msg:'Fake Gist crawler.',phase:2"
+	"id:431511,t:lowercase,chain,deny,status:403,msg:'Fake Gist crawler.',phase:2"
 SecRule REMOTE_HOST "@endsWith .gist.com"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains blogscope" \
-	"t:lowercase,chain,deny,status:403,msg:'Fake BlogScope crawler.',phase:2"
+	"id:431512,t:lowercase,chain,deny,status:403,msg:'Fake BlogScope crawler.',phase:2"
 SecRule REMOTE_HOST "@endsWith .toronto.edu"
 
 SecRule REQUEST_HEADERS:User-Agent "@contains newsgator" \
-        "t:lowercase,chain,deny,status:403,msg:'Fake NewsGatorOnline crawler.',phase:2"
+        "id:431513,t:lowercase,chain,deny,status:403,msg:'Fake NewsGatorOnline crawler.',phase:2"
 SecRule REMOTE_HOST "@endsWith .newsgator.com"

rules/flameeyes_20_antispam.conf

@@ -3,29 +3,29 @@
 
 # Ignore GET and HEAD requeests, as they shouldn't alow posting
 # anything at all, and this reduces the load on the checks.
-SecRule REQUEST_METHOD "@pm get head" "phase:2,t:lowercase,skipAfter:FLAMEEYES_END_ANTISPAM,nolog"
+SecRule REQUEST_METHOD "@pm get head" "id:432000,phase:2,t:lowercase,skipAfter:FLAMEEYES_END_ANTISPAM,nolog"
 
 # Allow requests without referer headers (anonymizers usually do so),
 # but deny those with a surely-wrong referer (that does not include
 # the server name itself).
 SecRule REQUEST_HEADERS:Referer "!@contains ://%{SERVER_NAME}/" \
-        "phase:2,msg:'Referer header does not point to the server itself %{REQUEST_HEADERS.Referer}',deny,status:403,id:flameeyes-101"
+        "id:432010,phase:2,msg:'Referer header does not point to the server itself %{REQUEST_HEADERS.Referer}',deny,status:403"
 
 # Deny access if empty user agent, or no user agent, is sent;
 # anonymizers might send this but it's not extremely common; it is,
 # though, very common among spammers.
 SecRule REQUEST_HEADERS:User-Agent "^$" \
-	"phase:2,msg:'Empty User-Agent when posting',deny,status:403,id:flameeyes-102"
+	"id:432020,phase:2,msg:'Empty User-Agent when posting',deny,status:403"
 
 SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
-        "phase:2,msg:'Missing User-Agent header when posting',deny,status:403,id:flameeyes-103"
+        "id:432021,phase:2,msg:'Missing User-Agent header when posting',deny,status:403"
 
 # The Mozilla/ specifier at the top of the User-Agent is used by most
 # browsers but it's always either 4.0 or 5.0, depending on the
 # version; if there is some other number as minor version, it's almost
 # certainly a forged header.
 SecRule REQUEST_HEADERS:User-Agent "^(?:mozilla/[45]\.[1-9])" \
-	"phase:2,t:lowercase,msg:'Invalid Mozilla version %{REQUEST_HEADERS.User-Agent}.',deny,status:403,id:flameeyes-106"
+	"id:432030,phase:2,t:lowercase,msg:'Invalid Mozilla version %{REQUEST_HEADERS.User-Agent}.',deny,status:403"
 
 # We expect Windows XP users to upgrade at least to IE7 or, better,
 # use a different browser like Firefox, Chrome, Sfari or Opera.
@@ -37,19 +37,19 @@ SecRule REQUEST_HEADERS:User-Agent "^(?:mozilla/[45]\.[1-9])" \
 # extint yet, and they cannot upgade to IE7 or later, so for now
 # blacklist only those users using Windows XP, Vista or later.
 SecRule REQUEST_HEADERS:User-Agent "msie 6\.0[ab]?;(?: .+;)? windows nt [56]\." \
-	"phase:2,t:lowercase,msg:'IE6 on modern Windows: %{REQUEST_HEADERS.User-Agent}',deny,status:403"
+	"id:432040,phase:2,t:lowercase,msg:'IE6 on modern Windows: %{REQUEST_HEADERS.User-Agent}',deny,status:403"
 
 # Nobody would seriously use a PSP to comment on a blog or post
 # anything useful, mostly on the count that the PSP has a very bad
 # input system, but also because even the latest iteration (PSP-3004
 # and PSP-N1004) have puny browsers that cannot load properly most
 # sites.
 SecRule REQUEST_HEADERS:User-Agent "psp \(playstation portable\)" \
-	"phase:2,t:lowercase,msg:'PSP trying to post comments',deny,status:403"
+	"id:432050,phase:2,t:lowercase,msg:'PSP trying to post comments',deny,status:403"
 
 # Check if the request comes from an infected system, if so don't
 # allow it to go through.
 SecRule TX:infected "@eq 1" \
-	"phase:2,msg:'Infected client',deny,status:403"
+	"id:432060,phase:2,msg:'Infected client',deny,status:403"
 
 SecMarker FLAMEEYES_END_ANTISPAM

rules/flameeyes_30_refererspam.conf

@@ -8,14 +8,14 @@
 # Some log analysers, such as AWStats, seem to split the header so
 # that the referrers show up both in the statistics.
 SecRule REQUEST_HEADERS:Referer 'http://.* http://' \
-	"phase:1,t:lowercase,msg:'Multiple URLs in Referer header.',deny,status:403,id:flameeyes-201"
+	"id:433000,phase:1,t:lowercase,msg:'Multiple URLs in Referer header.',deny,status:403"
 
 SecRule REQUEST_HEADERS:Referer '@pmFromFile flameeyes_bad_referrers.data' \
-        "phase:1,t:lowercase,,msg:'Known referer spammers.',deny,status:403,id:flameeyes-202"
+        "id:433001,phase:1,t:lowercase,,msg:'Known referer spammers.',deny,status:403"
 
 # A number of referrer spam requests come via the HEAD method; to
 # workaround possible filters on fake or empty user agent they use
 # real browsers' strings, but then those browsers don't seem to ever
 # use the HEAD method.
-SecRule REQUEST_METHOD "@streq head" "t:lowercase,phase:2,deny,status:403,msg:'HEAD request coming from browser, likely referrer spam.',chain"
+SecRule REQUEST_METHOD "@streq head" "id:433010,t:lowercase,phase:2,deny,status:403,msg:'HEAD request coming from browser, likely referrer spam.',chain"
 SecRule REQUEST_HEADERS:User-Agent "@pm firefox safari msie opera"