feat: accidental firewall disability prevention #3650
Conversation
|
I see what you want to do here, but do you really think this is such a big deal? I agree it can happen, but any functionality test of the WAF will fail afterwards anyways. For the record: My modsec-rulereport.rb script used to generate rule exclusions refuses to do a rule exclusion for one of the evaluation rules but displays an explanation instead. The same is true for c-rex.netnea.com. |
It depends, most of the exclusion rules looks like this: If a user adds |
|
This one is real fun. :) |
|
Few are also here: |
You are right here, yes. |
|
I am not convinced this is needed, but the example with the path constraint is really very hard to spot any other way. Let's discuss this at the next meeting. |
This is only a proof-of-concept, probably not the best one.
Everyone of our users, who is new to rule exclusions and is trying to write his/her own exclusion rules, is disabling also one or both of the rules
949110and959100. What is worse, in most cases, users see that it helped to resolve the problem and doesn't know that the whole firewall was disabled. Such cases are discovered probably only by accident, because users are having more problems they are unable to resolve and are asking for help where they show us currently used exclusion rule. How many installations of CRS are there with rules949110/959100disabled?This PR is showing how it is possible to partially prevent this and, at least, log a huge warning for a user.
Any ideas how to do this better are welcomed.