[Owasp-modsecurity-core-rule-set] What does the rule ID stand for?

Brian Rectanus Brian.Rectanus at breach.com
Fri Aug 28 12:33:08 EDT 2009


Junyong Jiang wrote:
> Dear all,
> I find every modsecurity rule has its own rule ID, some rules may share
> the same ID.
> I dont know why the rule has a specify ID. If the ID only a unique
> No.,but why they are marked from 1, 2, 3, ...
> Hope for your reply. Thanks in advance!

Originally it was intended to identify a specific rule.  This allowed 
you to do exceptions to the rules, etc.

However, as rules became more complex, it became required to write a 
singe "rule" (better named "recipe") with multiple SecRule/SecAction 
directives.  So, should all those rules have the same ID, or multiple? 
It was not clear.

Now, with CRS v2.0, we have anamoly scoring and better mechimism for 
exceptions, so the IDs are of less importance and really quite a pain to 
maintain them as unique.

We are trying to come up with a solution for this.  One of these we 
discussed was date-like IDs with prefixes.  For example:

bsr-20090928-211305

bsr = Breach Security Rule (prefix to avoid name clash)
20090928 = 28 Aug 2009
211305 = 21:13:05 GMT

Then modifying the ID range operators to deal with such a rule ID and 
treat this as just "20090928211305" or just do string comparisons 
(alpha-numeric sort) vs numeric ranges.

Any suggestions are welcome.

-B

-- 
Brian Rectanus
Breach Security


More information about the Owasp-modsecurity-core-rule-set mailing list