1

I have looked around on the net and have seen many common answers for this , however, none of them are working.

I am trying to use this to ignore whenever our scans kick off in the morning.

SecRule REMOTE_HOST "@ipmatch 99.123.33.87" "id:90000009,phase:1,t:none,allow,nolog,ctl:ruleRemovebyID=.*;"

Anyone know what the problem might be?

LUser
  • 217
  • 6
  • 15

2 Answers2

1

In the answer from Barry Pollard there's ctl:ruleEngine=On while it should be Off to ignore all the rules, as required in the question. Here's another example on how to do this, from a working configuration:

SecRule REMOTE_ADDR "@contains 99.123.33.87" "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
1

Several problems:

  1. REMOTE_HOST is a name not an IP address. You want REMOTE_ADDR.

  2. "ctl:ruleRemovebyID=.*" is not valid syntax and, even if it was, should not be necessary (though see point 4 below).

  3. Don't need the semi-colon at the end.

  4. "Allow" is ignored in DetectionOnly mode, which I think is counter intuitive and can lead to a lot of false detections if you need to switch to this mode for some reason. So I always add "ctl:ruleEngine=On" to any "allow" rules I write to force this rule to also work even when in that mode.

Final correct versioning your rule is therefore:

SecRule REMOTE_ADDR "@ipmatch 99.123.33.87" "id:90000009,phase:1,t:none,allow,nolog,ctl:ruleEngine=On"
Barry Pollard
  • 4,461
  • 14
  • 26
  • I tried this and I still get loads of log entries so I am not sure what the deal is. – LUser Jan 22 '16 at 23:12
  • here is one of them logging for the TRACE method being tested – LUser Jan 22 '16 at 23:13
  • [22/Jan/2016:01:43:04 --0700] [1.1.2.3/sid#7f01b0139ea8][rid#7f01b0d015a8][/][2] Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "TRACE"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] – LUser Jan 22 '16 at 23:13
  • Are you putting this override rule first in your config - before the other rules run? Also might be worth changing the nolog to log to see it logging. Or turning on SecDebugLog to see whether you rule was processed and failed to match. – Barry Pollard Jan 22 '16 at 23:22
  • I had it In The 65th conf . I think will try to place it in The 15 spot and see. – LUser Jan 22 '16 at 23:31