ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

SecRuleUpdateActionById directive with a range

Open oceanmancuonh opened this issue 1 year ago • 3 comments

How to use SecRuleUpdateActionById directive to change action of multi rule id ? When i use SecRuleUpdateActionById 70050015 "pass" -> It's work

But SecRuleUpdateActionById 70050014-70050016 "pass" -> Not work

oceanmancuonh avatar Nov 12 '24 11:11 oceanmancuonh

Hi @oceanmancuonh,

do you think that would be the expected behavior?

libmodsecurity3's reference shows it does not support at all:

https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#secruleupdatetargetbyid

and mod_security2's reference that engine supports only the id[:offset] syntax:

https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secruleupdateactionbyid

airween avatar Nov 12 '24 18:11 airween

that means if i want to change a series of action rules then i have to declare each rule id one by one if using this directive. there is no way to select multi rule id like regex, wildcard, ...

oceanmancuonh avatar Nov 13 '24 02:11 oceanmancuonh

that means if i want to change a series of action rules then i have to declare each rule id one by one if using this directive. there is no way to select multi rule id like regex, wildcard, ...

Yes, exactly.

You haven't mentioned which rule set you use, but if it's CRS, you can use SecRuleUpdateTargetByTag - docs is here. Probably it's more efficient.

airween avatar Nov 13 '24 08:11 airween