Open RedXanadu opened 1 year ago
I see some merit in a 902 rule file. But I would like to postpone the discussion after 4.0. We need to think this through and it also touches on the idea of a CRS recommend rules file.
As discussed in this evening's team chat, the original PR that spawned this new issue will be closed, while this documentation issue will remain open so that we can have a rethink about the underlying problem post-CRS 4.0.
@RedXanadu Appreciate this approach. Glad it continues to stay on the table.
If completely replacing a CRS phase 1 rule (not just updating a rule target etc. but completely replacing a rule, i.e. the operator is being modified) then this cannot occur in the
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
file because any anomaly scoring will be wiped and set to 0 immediately after whenREQUEST-901-INITIALIZATION.conf
executes.RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
is also no good as the replacement rule needs to come beforeREQUEST-949-BLOCKING-EVALUATION.conf
/RESPONSE-959-BLOCKING-EVALUATION.conf
so that the replacement rule correctly contributes to anomaly scoring totals. Otherwise, things like early blocking mode can start to break.Document corner case as a known issue.
Include two ideas as solutions:
include
sREQUEST-902-CUSTOM-RULES-POST-INIT
file, or something similar, if there are going to be many such replacement rulesReference: https://github.com/coreruleset/coreruleset/pull/2878