-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: accidental firewall disability prevention #3650
base: main
Are you sure you want to change the base?
Conversation
I see what you want to do here, but do you really think this is such a big deal? I agree it can happen, but any functionality test of the WAF will fail afterwards anyways. For the record: My modsec-rulereport.rb script used to generate rule exclusions refuses to do a rule exclusion for one of the evaluation rules but displays an explanation instead. The same is true for c-rex.netnea.com. |
It depends, most of the exclusion rules looks like this:
If a user adds |
This one is real fun. :) |
Few are also here: |
You are right here, yes. |
I am not convinced this is needed, but the example with the path constraint is really very hard to spot any other way. Let's discuss this at the next meeting. |
This is only a proof-of-concept, probably not the best one.
Everyone of our users, who is new to rule exclusions and is trying to write his/her own exclusion rules, is disabling also one or both of the rules
949110
and959100
. What is worse, in most cases, users see that it helped to resolve the problem and doesn't know that the whole firewall was disabled. Such cases are discovered probably only by accident, because users are having more problems they are unable to resolve and are asking for help where they show us currently used exclusion rule. How many installations of CRS are there with rules949110/959100
disabled?This PR is showing how it is possible to partially prevent this and, at least, log a huge warning for a user.
Any ideas how to do this better are welcomed.