Add a new known issue for replacement phase 1 rules #79
Assignees
Comments
|
I see some merit in a 902 rule file. But I would like to postpone the discussion after 4.0. We need to think this through and it also touches on the idea of a CRS recommend rules file. |
|
As discussed in this evening's team chat, the original PR that spawned this new issue will be closed, while this documentation issue will remain open so that we can have a rethink about the underlying problem post-CRS 4.0. |
|
@RedXanadu Appreciate this approach. Glad it continues to stay on the table. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If completely replacing a CRS phase 1 rule (not just updating a rule target etc. but completely replacing a rule, i.e. the operator is being modified) then this cannot occur in the
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conffile because any anomaly scoring will be wiped and set to 0 immediately after whenREQUEST-901-INITIALIZATION.confexecutes.RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.confis also no good as the replacement rule needs to come beforeREQUEST-949-BLOCKING-EVALUATION.conf/RESPONSE-959-BLOCKING-EVALUATION.confso that the replacement rule correctly contributes to anomaly scoring totals. Otherwise, things like early blocking mode can start to break.Document corner case as a known issue.
Include two ideas as solutions:
includesREQUEST-902-CUSTOM-RULES-POST-INITfile, or something similar, if there are going to be many such replacement rulesReference: coreruleset/coreruleset#2878
The text was updated successfully, but these errors were encountered: