Friday 31 October 2014

ModSecurity Rule Execution Order and ctl:ruleRemoveById

In ModSecurity rules are executed in the order in which they are "physically" included into Apache's httpd.config file. First all the rules for phase 1, then all the rules for phase 2 and so on.

The documentation for ctl:ruleRemoveById states that "since this action is triggered at run time, it should be specified before the rule which it is disabling"

Before in this case means that the rule containing ctl:ruleRemoveById needs to run before the rule to be removed.

This means that if the rule to be removed  runs in phase 1 then the rule removing this rule needs to be "physically" included before the rule to be removed.

But if the rule to be removed runs in phase 2 then the rule removing this rule can be "physically" included after the rule to be removed as long as it runs in phase 1.



No comments:

Post a Comment