0

Virtually all SecRule examples for modsecurity whitelisting I found on the web include turning off the rule engine, example:

phase:1,nolog,allow,ctl:ruleEngine=Off,id:23023

However, as far as I got it from the documentation, "nolog" combined with "allow" should have exactly the same effect already - namely disrupting rule processing and preventing any log entries. Hence, wouldn't the following configuration be absolutely equivalent?

phase:1,nolog,allow,id:23023

If I am wrong, where's the difference between the two?

I am using modsecurity 2.9.3.

neuro
  • 14,948
  • 3
  • 36
  • 59
Dante77
  • 3
  • 2

1 Answers1

0

I’ve not seen that before but I can take a guess why it’s there.

The allow action is a disruptive action. When ModSecurity is working in DetectionOnly mode then disruptive actions (including allow) are not actually actioned. This means any subsequent rules are still run - even though they would not be run when running in the normal On mode. This can make the logs very noisy, and also make you think you have to tune more rules which you do not actually have to tune.

The ctl action is not disruptive and so does execute even in DetectionOnly mode. Therefore by adding ctl:ruleEngine=Off to any allow rules you can have only the real errors logging in Detection only mode.

I’ve actually done the opposite and used ctl:ruleEngine=On to make the allow action take effect even in DetectionOnly mode. For example I have a rule, near the beginning of all my rules, to look at GET calls with no params to index.html pages and say they are reasonably safe so no need to run rest of rules on them. This saves processing time and false flags.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92