[Owasp-modsecurity-core-rule-set] What does the rule ID stand for?
Brian.Rectanus at breach.com
Fri Aug 28 12:33:08 EDT 2009
Junyong Jiang wrote:
> Dear all,
> I find every modsecurity rule has its own rule ID, some rules may share
> the same ID.
> I dont know why the rule has a specify ID. If the ID only a unique
> No.,but why they are marked from 1, 2, 3, ...
> Hope for your reply. Thanks in advance!
Originally it was intended to identify a specific rule. This allowed
you to do exceptions to the rules, etc.
However, as rules became more complex, it became required to write a
singe "rule" (better named "recipe") with multiple SecRule/SecAction
directives. So, should all those rules have the same ID, or multiple?
It was not clear.
Now, with CRS v2.0, we have anamoly scoring and better mechimism for
exceptions, so the IDs are of less importance and really quite a pain to
maintain them as unique.
We are trying to come up with a solution for this. One of these we
discussed was date-like IDs with prefixes. For example:
bsr = Breach Security Rule (prefix to avoid name clash)
20090928 = 28 Aug 2009
211305 = 21:13:05 GMT
Then modifying the ID range operators to deal with such a rule ID and
treat this as just "20090928211305" or just do string comparisons
(alpha-numeric sort) vs numeric ranges.
Any suggestions are welcome.
More information about the Owasp-modsecurity-core-rule-set