Are modsec rule ID's sequential? Like is their preference linear? If I want to whitelist an IP does my ID have to be as low as possible (eg. 1 thru say 200)? Or can I make it like 60000 and it will still work?
Do you mean as far as exceptions/whitelisting go? This is detailed here Adding Exceptions and Tuning CRS — OWASP CRS Documentation 3.0.0-rc1 documentation and full detail on CTL SpiderLabs/ModSecurity
But I'm not sure I understand the question since the rules you'd add to whitelist would reference a rule ID but not have a rule ID of their own as far as I know.
But I'm not sure I understand the question since the rules you'd add to whitelist would reference a rule ID but not have a rule ID of their own as far as I know.
So the ID for a whitelist has to be the ID for an existing rule to whitelist against. Is this how you whitelist an IP address then?
SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"
every time I try to whitelist an IP address it says ID already used and won't let apache restart.
For example I see this in my logs:
so I want to whitelist IP address 72.238.15.34 againts this rule. so I do:
SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"
and it will not work:
Oct 14 08:41:24 core.extremehosting.ca restartsrv_httpd[32070]: ModSecurity: Found another rule with the same id
Oct 14 08:41:24 core.extremehosting.ca systemd[1]: Failed to start Apache web server managed by cPanel EasyApache.
What do I have to do to simply whitelist an IP address for a given modsec rule (ID)?
SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"
every time I try to whitelist an IP address it says ID already used and won't let apache restart.
For example I see this in my logs:
Code:
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 72.238.15.34] ModSecurity: Warning. Pattern match "(?i)<[^\\\\\\\\... [id "941160"] [rev "2"] [msg "NoScript....
Action: Intercepted (phase 2)SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"
and it will not work:
Oct 14 08:41:24 core.extremehosting.ca restartsrv_httpd[32070]: ModSecurity: Found another rule with the same id
Oct 14 08:41:24 core.extremehosting.ca systemd[1]: Failed to start Apache web server managed by cPanel EasyApache.
What do I have to do to simply whitelist an IP address for a given modsec rule (ID)?
Code:
SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"Try something like. Look in the modsecurity reference manual
Code:
SecRule REMOTE_ADDR "@ipMatch 72.238.15.34" "id:1010,phase:2,t:none,pass,nolog,ctl:ruleRemovebyID=941160"
