-
-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example #2878
Conversation
Hi @fardarter. Can you provide some context for your pull request, please? Are you trying to add rules that perform some sort of detection and add to the anomaly score in |
OK, let me give some more context. I'm trying to make this my rule:
Instead of the default at The runtime override doesn't help because it matches on the inverse case, so I need to replace the rule. I wasn't able to find any examples with operator replacement ( At this point I've actually just inserted a ruleset after initialisation, which I'm not sure is the best practice here. It's been difficult to find docs on best practices for this other than the comments in Previously I had it in Any advice/guidance welcome. |
Thank you for this PR and explaining it. We have multiple problems here and it's a bit tricky. Great you found the reason behind it. First, like you already noticed, the rule 920470 uses a denylist ( So correct solution, like you described, is:
But AFTER the rule Another solution to your problem is to put the new rule 9204700 into But we definitely have to document this somewhere. @RedXanadu : Do you also think we have to document this special case when a new rule in |
Hi @franbuehler. One suggestion I might make is reserving a rules file number (say I know i can set some of this stuff in the settings file, but it's much easier from an automation perspective to move files around rather than trying to comment/insert/uncomment in bash. What do you think? |
@dune73: I think you know this problem that a new rule at PL1 can not be added to What do you think of adding it to our documentation (add rule to PL2) or making a new file |
Thanks @franbuehler. :) Just as a note, it would be lovely if these files were highlighted in the docs more (not sure if the guidance isn't given or I just didn't find it), but I had to dig deep into some long blog posts to discover them and read the source comments. |
Personally, when I need to do something like this (an operator change) in production and a rule exclusion is not possible for some reason, I use a As long as you're not using early blocking mode and it's a phase 1 rule then I think it should work fine. Like:
Alternatively, you could try writing a runtime rule exclusion to verify / check / validate specifically for your excluded situation. Something like:
|
Wouldn't it need to run prior to the Do you have a reason against including it at Also, noob question, but what is early blocking mode and how do I know if I'm running it? |
This is a peculiar problem and a tricky workaround. I never work with rule exclusion files 900 and 999, but my technique (-> REs are always in webserver config, not hidden in a file) would bump into the same problem. I tend to use the variant proposed by @franbuehler with the additional rule. I usually place it in phase 1, but after the include. That would correspond to the 999 file; but in phase 1. A clean solution could indeed be the move 900 to 902. One would need to look at it in detail though, because some REs people have written probably depend on 901 not being executed yet. Also wondering wether this pecular RE / rule replacement would not look better as a plugin. foobar-plugin-after.conf; phase 1. |
What I've done is made a ruleset Probably not a good idea to move So what I'd suggest is preserve both locations for user consumption but with the I'm not familiar with the plugin system. I'd suggest keeping it as simple as possible, but I don't know what plugins should do. What I would say is that something like this would might make a good case study for the docs. What do you think? |
While I have anyone's attention, do you know if the rules order on nginx is still unstable? I've seen a few blogs say for nginx (not nginx+, I'm compiling this myself) saying that one has to declare the includes in order versus using the wildcard(* -- as opposed to apache) but I've not been able to validate that yet (though I imagine load logs might be in the debug logs?). |
Hi all. Wondering if anyone considered my suggestion. Would like to set up in an authorised way. |
I think the wildcard problem with Include on nginx is solved. As far as your change is concerned. It might be a good idea, or it might not be a good idea. Hard to tell and it would take a very deep analysis to know for sure and I get the feeling none of the developers is particularly interested in the question. This may look or sound a bit unfriendly, but the situation is that your problem is acknowledged, but the devs do not consider it big enough to invest into it. Honestly, we have far bigger problems with CRS4 drawing closer and other big changes. So maybe this PR will just fade, maybe somebody picks it up and merges it eventually, or maybe somebody else picks it up, rewrites into something different and then it gets merged. Please do not be offended, it's just the way open source projects work. |
No offence taken. Not particularly concerned about the PR anymore. More just wondering if it's possible to put a simple proposition to vote: That the 902 range be reserved for userspace. Using a file there seems to me to be the cleanest solution but if it isn't policy then my deployment could break down the line in a fairly invisible way for other maintainers. Haven't seem any reasons against being offered in the above discussion. All it would really need is a note on the docs to make it real. |
@dune73 @RedXanadu What do you think we should do here? |
I think the least we can do is document it as an edge case and propose one or two workarounds, for example the one by @fardarter and the one by @RedXanadu which is very close to @franbuehler's and what I suggested above. @RedXanadu is this something you could provide? If yes, we can then close this PR in favor of the documentation change. @fardarter : We are planning to replace the ModSec recommended rules after CRSv4 came out in favor of our own version. This might be a moment where we look at CRS initialization in a holistic way and we would then also try and solve this problem for good. It's really quite hairy if we want to solve this without breaking anything and also try and avoid other pitfalls in this direction. Thank you for your understanding above. |
@dune73 If I'm right about the semantics, this does rightly belong in phase 1? In general my request is only that it's well specified (so that anyone coming later will know what it is) and can be easily achieved by copying a file into a location (for automation). |
It does belong into phase 1. It is supposed to be early, but not so early as to be overwritten later by CRS initialization. Or CRS initialization should make sure it is not overwriting existing default values (as it correctly does for anomaly thresholds etc). We have the same problems and limitations with plugins btw. A clean and intuitive solution would be big step forward. |
@dune73 Yes, I can add this corner case as a 'Known Issue'. I'll include @franbuehler's suggestion and also @fardarter suggestion of adding a new file to the running order like '902-CUSTOM-RULES-AFTER-INIT' etc. |
Thank you very much indeed. |
In order to resolve this pull request, we revisited and discussed the overall issue in our team chat this evening. (The full archive of the discussion will be available very soon from here: https://github.com/coreruleset/project-chat-archive/). The decisions made were as follows:
|
No description provided.