tags and exclusion rules

[theMiddleBlue]

As @zimmerle explained here the tag matching in v3 is no more regex based.

[...] the match for a tag in v2 is a regular expression by default, that is why it matches partially a string. When implemented on v3 we made it a string comparison; due to performance reasons [...]

In the link above, you can see why, in v3, tags like OWASP_CRS/FOO/BAR are no more useful and why we should split it into three different tags (something like tag:'OWASP_CRS',tag:'FOO',tag:'BAR'). I know that it means touching all rules with all problems related to it, but I think that at some stage in the future, we have to face this problem and maybe review all rules' tag.

Of course, we can solve by replacing all ctl:ruleRemoveTargetByTag=CRS with ctl:ruleRemoveTargetById=910000-999999 as done in #1445 (we're waiting this fix owasp-modsecurity/ModSecurity#2110 🤣) but things like that are no more true for all v3 users:

owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

Lines 129 to 144 in c6249fa

	# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
	# for all CRS rules
	#
	# This rule illustrates that we can use tagging very effectively to whitelist a
	# common false positive across an entire ModSecurity instance. This can be done
	# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
	# affect custom rules.
	#
	# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
	# for all CRS rules
	# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
	# "id:1003,\
	# phase:2,\
	# pass,\
	# nolog,\
	# ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"

should I remove this part from rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example? If yes, can I do it on #1445 PR?

[csanders-git]

Yeah, this should be done -- we need to slightly update the wording -- see the PR :)

[dune73]

PR #1445 is meant to fix this in order to bring back libModSecurity v3 compatibility. However, PR #1445 is blocked by another libModSecurity bug (owasp-modsecurity/ModSecurity#2114). We are thus stuck between a hammer and a hard place.

[lifeforms]

This is fixed in v3.2.0. We worked around the problem in ModSecurity 3 by adding the explicit tag to all the rules.