SecRuleRemoveByTag

[kiawin]

Hi, May I know whether the connector currently accepts SecRuleRemoveByTag?

With the current configuration,

modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;
modsecurity_rules '
SecRuleRemoveByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"
';

I get this error

# nginx -t -c /etc/nginx/nginx.conf
nginx: [emerg] "modsecurity_rules" directive Rules error. File: <<reference missing or not informed>>. Line: 2. Column: 55. syntax error, unexpected QUOTATION_MARK  in /etc/nginx/nginx.conf:26
nginx: configuration file /etc/nginx/nginx.conf test failed

Line 26 refers to the SecRuleRemoveByTag line, and column 55 is the last character of the line, which happens to be end quote.

[victorhora]

Hi @kiawin,

I'm afraid SecRuleRemoveByTag is not implemented nor expected by the parser. Hence why you're getting that error. You should be able to use SecRuleRemoveById for now.
I'll update the docs accordingly until we have it implemented.

[kiawin]

@victorhora thanks for the update. just curious, do you have a page that list all supported directives?

[victorhora]

Hi @kiawin,

Yes, we recently added up to date versioning information to the reference manual for most of the directives and also added this "tag": Supported on libModSecurity: YES|NO|TBI|TBD

Note: Please bear in mind that these updates to the docs is a work in progress so don't assume that a directive is not implemented just because it's missing the tag ;)

[aliesss]

Hi,
Since SecRuleRemoveByTag is not supported now, is there any other solution to remove rules under certain category? Other than SecRuleRemoveById, as it is not so efficient to block multiple different rules based on category

[victorhora]

Hi, @aliesss depending on your scenario and what you're trying to do, you could try with ctl:ruleRemove directives.

As of now ruleRemoveTargetByTag, ruleRemoveTargetById and ruleRemoveById are all implemented in libModSecurity.

[victorhora]

Closing this one as the missing directives are known and being handled at owasp-modsecurity/ModSecurity#1476

[feanorknd]

Hello...

Running at commit 1edd357 (22-Jun)...

ruleRemoveTargetByTag are not working for me...

#################################################################
SecRule REQUEST_URI "^/admin/guardar_(?:banner|texto).php$"
"id:100, t:none, phase:2, nolog, noauditlog, pass,
--->> NOTHING OF THESE DOES NOTHING... owasp rules keeps matching and blocking <<---
ctl:ruleRemoveTargetByTag=attack-xss;ARGS:codigo,
ctl:ruleRemoveTargetByTag=attack-xss;ARGS:textos[pt],
ctl:ruleRemoveTargetByTag=attack-xss;ARGS:textos.*,
ctl:ruleRemoveTargetByTag=XSS;ARGS,
ctl:ruleRemoveTargetByTag=attack-xss;ARGS,
--->> THESE ARE RUNNING OK... disabling the owasp rules previously matching and blocking <<---
ctl:ruleRemoveById=941100,
ctl:ruleRemoveById=941160
"
#################################################################

If I just remove the ruleRemoveById directives, the ruleRemoveTargetByTag are not doing nothing. Note the id 941100 and 941160 belongs to tags "attack-xss" and "OWASP_CRS/WEB_ATTACK/XSS"...

Thanks so much