Skip to main content

modsecurity ID's sequential?

Scott Galambos
Are modsec rule ID's sequential? Like is their preference linear? If I want to whitelist an IP does my ID have to be as low as possible (eg. 1 thru say 200)? Or can I make it like 60000 and it will still work?

Comments

3 comments

Date Votes
  • cPanelLauren
    Do you mean as far as exceptions/whitelisting go? This is detailed here Adding Exceptions and Tuning CRS " OWASP CRS Documentation 3.0.0-rc1 documentation and full detail on CTL SpiderLabs/ModSecurity But I'm not sure I understand the question since the rules you'd add to whitelist would reference a rule ID but not have a rule ID of their own as far as I know.
    0
  • Scott Galambos
    So the ID for a whitelist has to be the ID for an existing rule to whitelist against. Is this how you whitelist an IP address then? SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off" every time I try to whitelist an IP address it says ID already used and won't let apache restart. For example I see this in my logs: Apache-Error: [file "apache2_util.c"> [line 271] [level 3] [client 72.238.15.34] ModSecurity: Warning. Pattern match "(?i)<[^\\\\\\\\... [id "941160"> [rev "2"> [msg "NoScript.... Action: Intercepted (phase 2)
    so I want to whitelist IP address 72.238.15.34 againts this rule. so I do: SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off" and it will not work: Oct 14 08:41:24 core.extremehosting.ca restartsrv_httpd[32070]: ModSecurity: Found another rule with the same id Oct 14 08:41:24 core.extremehosting.ca systemd[1]: Failed to start Apache web server managed by cPanel EasyApache. What do I have to do to simply whitelist an IP address for a given modsec rule (ID)?
    0
  • PlotHost
    SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"
    The ID here should be a custom ID. ID 941160 is already used by another rule [QUOTE]900,000"999,999: reserved for the OWASP ModSecurity Core Rule Set
    [QUOTE]What do I have to do to simply whitelist an IP address for a given modsec rule (ID)?
    Try something like. Look in the modsecurity reference manual SecRule REMOTE_ADDR "@ipMatch 72.238.15.34" "id:1010,phase:2,t:none,pass,nolog,ctl:ruleRemovebyID=941160"
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post