[Owasp-modsecurity-core-rule-set] Missing Component Signature / Version Information in Blocking Rules

Christian Folini christian.folini at netnea.com
Fri Nov 18 15:06:57 UTC 2016

Hello Heinrich,

Another well spotted bug. Thank you. It's funny how a new pair of eyes
spots bugs in corners ignored by experienced users.

The support for the "ver" action is only partial. In fact there are
more than only the blocking rules that come without the "ver" action.

I have opened a bug report for this issue:

I flagged it for CRS 3.1.0. There is a chance, this will be made
available for 3.0.1, but I doubt it as it's quite a bit of work
and not crucial for the correct functioning of the rule set.

In your situation, you are best off with the following construct
including the mandaory regular expression : Note how the CRS rules
are all in the 900K range, but we lately claimed the 9M range too;
hence {5,6}.

$> cat error.log | egrep "id \"9[0-9]{5,6}\""

Keep these bug reports coming, please.



On Thu, Nov 17, 2016 at 02:27:14PM +0100, Heinrich M. wrote:
> Hi,
> while playing around with the rule set and adding some custom rules, I
> found that the blocking rules miss the version tag within Apache's
> error log. Is there a reason for this? As fas as I could see, every
> other rule is tagged with [ver "OWASP_CRS/3.0.0"] but I may be missing
> something. 
> I'd like to grep for '[ver "OWASP_CRS/3.0.0"]' in order to separate log
> entries from custom rules from the CRS rules. I know that this can also
> be done by rule IDs but those regexes are hard ;-).
> Regards,
> Heinrich
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

mailto:christian.folini at netnea.com
twitter: @ChrFolini

More information about the Owasp-modsecurity-core-rule-set mailing list