New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecRuleRemoveById being ignored #600
Comments
I would also like to report this issue, but then on Windows 7, IIS 7.5 and ModSecurityIIS 2.7.5 Am overriding rule 981173 in a file named modsecurity_crs_60_customrules.conf. SecRuleRemoveById 981173 They all do not work. [snippet] SecRuleRemoveById 981173 |
@Kriska |
thanks, was it easy to compile? |
@Kriska |
I might have something to investigate, but i don't know if it's related to Apache or not. It seems that whenever i try to add more than one Include directory inside /etc/apache2/mods-available/mod-security.conf I am facing problems when disabling rules. root@srv # apache2 -v Mod_security version: 2.7.5 |
did you tried disable rules this way?
|
@steffen-nielsen Just to summarize: By using a single include file everything is working as expected (including SecRuleRemoveById)? If you include another file then SecRuleRemoveById stops to work? |
@zimmerle Originally i would include the following two directories, but leaving just the one of them fixed the problem. (Wildcards are translated, but should be in front of .conf) Include /etc/modsecurity/.conf |
@steffen-nielsen - based on the path info you supplied, I think the issue is the order in which these .conf files are executed/read. In your initial post, you listed the following exception file - /etc/modsecurity/modsecurity_crs_99_whitelist.conf This would be activated by the following Include directive - Include /etc/modsecurity/*.conf The issue may be that the SecRuleRemoveById directive must be declared after the rule it is disabling is already read into memory. This means that if rule ID 981060 is within a .conf file under /etc/modsecurity/activated_rules/ then the SecRuleRemoveById directive must be called up afterwards. I would recommend that you used explicit Includes vs. wildcarding to ensure that your modsecurity_crs_99_whitelist.conf file is listed last. |
@rcbarnett I hope this will help future readers, as I was struggeling to find help on the internet on this issue. |
Uhm, i didn't got that chance. I use only one include (Include "/etc/modsecurity/*.conf") and in /etc/modsecurity (sorry for the lon list but maybe something in this list could be wrong) i got this: total 184 |
Hi @thierrybo, Try to place the SecRuleRemoveById rules after include everything else, such as:
|
OK, I use the default Debian Wheezy. In /etc/apache2/mods-enabled/mod-security.conf I have : in /etc/modsecurity/ i created modsecurity.conf and modsecurity_crs_99_whitelist.conf. All other files are symlinked from /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf , all files in /usr/share/modsecurity-crs/base_rules and all files in /usr/share/modsecurity-crs/optional_rules. So there is only ONE flat level in /etc/modsecurity/ if didn't made a mistake here, so there shouldn't be an issue with folder priority ? |
Hi Spiderlab,
I'm experiencing that this option is being ignored on my Ubuntu 12.04 installation. I've tried with both version 2.6.3 (from repo) and 2.7.5 with Apache. Mod security runs fine and is triggered on different rules. But trying to disable the rules either globally or pr. site doesn't seem to have any effect - the rules keep triggering and prohobits access.
For instance i have defined the following in /etc/modsecurity/modsecurity_crs_99_whitelist.conf:
SecRuleRemoveById 981060 981205
But i still see the rules trigger in the audit log. Setting other options in this same file is being read fine, as "SecRuleEngine Off" does disable Mod security completely.
Could i be missing something or is this a bug?
/Steffen
The text was updated successfully, but these errors were encountered: