[Owasp-modsecurity-core-rule-set] Renumbering RuleIDs

Christian Folini christian.folini at netnea.com
Thu Jan 14 07:27:06 UTC 2016


Hi there,

On Thu, Jan 14, 2016 at 05:50:46AM +0000, Leos Rivas Manuel wrote:
> I agree, plus if you have a bunch of custom rules you will suffer to do the renumbering yourself.
> 
> I made a quick check and apparently there are no collisions in the id's but that doesn't include any possible custom rule out there so a warning must be included.

But people using the 9xxxxx namespace for their own rules are crazy.
The policy to reserve this range for the CRS is well-documented. I
do not think custom rules in this range should matter.

After all, the re-numbering is meant to bring some clarity into the
namespace. The old rule numbering policy is very hard to grasp. At
least for me.

The general idea of the rule ids is now to establish a link between 
the rule and the file it resides in:

9<rulefile-prefix><individual number>
Individual numbers start at 100 and grow in steps of ten.
(There are exceptions like 941000. Why?)

So 3.0.0-rc1 rule 931110 is the 2nd rule in 
REQUEST-31-APPLICATION-ATTACK-RFI.conf.

The last time a significant rule renumbering / consolidation
took place was between 2.2.3 and 2.2.4 (or 4->5?), when a lot
of the sqli rules were moved. This was done more or less briefly
before the switch from svn to git, the svn history was lost 
(to the general public) and no csv file documenting the 
process.

This more fundamental renumbering is also painful for 
active installations, but at least we have the means to 
update existing exception/tuning rules.

Best,

Christian


-- 
History teaches us that men and nations behave wisely once they have
exhausted all other alternatives.
-- Abba Eban


More information about the Owasp-modsecurity-core-rule-set mailing list