Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent use of SecArgumentsLimit in Recommended Rules #3261

Open
studersi opened this issue Sep 25, 2024 · 4 comments
Open

Inconsistent use of SecArgumentsLimit in Recommended Rules #3261

studersi opened this issue Sep 25, 2024 · 4 comments
Labels
2.x Related to ModSecurity version 2.x

Comments

@studersi
Copy link

Describe the bug

The limit SecArgumentsLimit is inconsistently used an documented.

v2.9.8 v3.0.13
Supported (code) x ? (could not find it in source code, only in recommended rules)
Supported (documentation) x (2.9.7) x (3.0.5)
ModSecurity Recommended Rules - x

Logs and dumps

Not applicable.

To Reproduce

Not applicable.

Expected behavior

I would expect the recommended rules for v2.9.8 to also include the SecArgumentsLimit configuration, like 3.0.13.

Server (please complete the following information):

  • ModSecurity version (and connector): v2.9.8
  • WebServer: Not applicable.
  • OS (and distro): Not applicable.

Rule Set (please complete the following information):

  • Running any public or commercial rule set? ModSecurity Recommended Rules
  • What is the version number? v2.9.8

Additional context
@studersi studersi added the 2.x Related to ModSecurity version 2.x label Sep 25, 2024
@studersi studersi changed the title Inconsistent use and documentation of SecArgumentsLimit Inconsistent use of SecArgumentsLimit in Recommended Rules Sep 25, 2024
@airween
Copy link
Member

airween commented Sep 26, 2024

Hi @studersi,

thanks for reporting this. You're completely right, it would be much better to make the both versions' default configuration files consistent.

For the record: in libmodsecurity3 the initial set step of that variable is here. (This is a "compiled" code (by Bison), the original part is here).

Would you mind to send a PR for v2 to fix this?

My side note: I'm not sure this rule makes sense; if the engine is in DetectionOnly mode (which is the default...!) then this rule does nothing... But of course we can start to discuss, what would be the nice solution.

@dune73
Copy link
Member

dune73 commented Sep 27, 2024

I'm not sure I get your argument about the engine. All the blocking recommended rules do nothing unless you put the engine in - well - blocking mode. So what's the difference here?

@airween
Copy link
Member

airween commented Sep 27, 2024

There is no difference, I just think it's a bit confuse that in the "recommended" configuration file we set the engine to "DetectionOnly" and add a rule without any notification that won't work after installation.

My other comment regarding this rule that rule 200002 does (almost) the same (but in another way). If the SecArgumentsLimit is set (and it is here), then if the number of arguments has reached the limit, then it sets the REQBODY_ERROR, which triggers rule 200002.

I really don't know that rule 200007 is necessary. But not really disturbing, just my 2 cents.

@airween
Copy link
Member

airween commented Oct 2, 2024

@studersi, @dune73, @marcstern - what do you think guys, do we need rule 200007 in recommended modsecurity.conf file? As I explained above I don't think it's necessary, but I don't want to decide alone. I will gladly create a PR if it's really need.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x Related to ModSecurity version 2.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@airween @dune73 @studersi