ModSecurity Rules Writing Guidelines
Tags:
Guides
- Max Garrick provides an excellent guide on how to tune a rule set for your own environment. Note that this is check list and not a step by step guide.
- Ryan Barnett's blog entry about handling false positives is an indespensible guide for analyzing audit records and writing exceptions for ModSecurity rules.
Specific Tips
skipAfter
When using skipAfter, always skip to a SecMarker and not a regular rule. skipAfter would break id the regular rule is bypassed using a RemoveRule action or directive.
To overcome this limitation to create an exception without modifying an exitsing rule file that does not use SecMarket (for example the core rule set) use SecRuleUpdateActionById <rule> "pass,nolog" instead of SecRuleRemoveByID. however SecRuleUpdateActionById does not have a corresponding ctl action, so it can be used only for certain exceptions, but not to all.
Post new comment