ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
The official doc for modsecurity 2.x and 3.x for both SecRuleUpdateActionById and chain are errant. They lead to errant rule writing and/or exposing underlying modsecurity bugs. I request clarification/rewrite of at least these two sections of both 2.x and 3.x docs.
SecRuleUpdateActionById doesn't organize limitations/workarounds together; e.g. modsec 2.x SecRuleUpdateActionById on rule chains has a chain workaround (see issue above) and limitation (see issue above) and may have additional behavior/workaround changes in 3.x (I can't test 3.x)
chain has wrong language, e.g. "Non-disruptive rules" should be "Non-disruptive actions"
chain has wrong facts, e.g. "they [non-disruptive actions] will be executed if the rule that contains them matches and not only when the entire chain matches". That statement is false since it has been proven in 2.x (can't test myself in 3.x) that setvar does NOT "not only when the entire chain matches".
Coordinate chain with SecRuleUpdateActionById docs so they match each other's limitations/workarounds.
Docs problems of these areas exist in both 2.x and 3.x docs; sometimes similar, sometimes identical.
I recommend adding some rule + rule update examples to demonstrate how to use them correctly on each 2.x and 3.x. The issue above has premade examples.
Below is one suggestion for the 3.x docs.
Example 3.x docs for SecRuleUpdateActionById
...It has two limitations: it cannot be used to change the ID or phase of a rule. Only the actions that
can appear only once are overwritten. The actions that are allowed to appear multiple times in a list,
will be appended to the end of the list.
Example foo bar...
then 3 paragraphs and 2 examples under that is another limitation
Note : If the target rule is a chained rule, action updates may only be made to the main (first) rule in the chain.
These need to be combined together. Perhaps something like
...It has limitations
1. it cannot be used to change the ID or phase of a rule.
2. Only the actions that can appear only once are overwritten. The actions that are allowed to appear
multiple times in a list, will be appended to the end of the list.
3. If the target rule is a chained rule, action updates may only be made to the main (first) rule in the chain.
This is a tighter restriction than modsecurity 2.x.
Example foo bar...
The official doc for modsecurity 2.x and 3.x for both
SecRuleUpdateActionById
andchain
are errant. They lead to errant rule writing and/or exposing underlying modsecurity bugs. I request clarification/rewrite of at least these two sections of both 2.x and 3.x docs.This is a cascade issue from https://github.com/coreruleset/coreruleset/issues/3080#issuecomment-1374575642. I recommend reviewing that whole issue to understand the errant docs and gaps in information.
Doc Problems
SecRuleUpdateActionById
doesn't organize limitations/workarounds together; e.g. modsec 2.xSecRuleUpdateActionById
on rule chains has achain
workaround (see issue above) and limitation (see issue above) and may have additional behavior/workaround changes in 3.x (I can't test 3.x)chain
has wrong language, e.g. "Non-disruptive rules" should be "Non-disruptive actions"chain
has wrong facts, e.g. "they [non-disruptive actions] will be executed if the rule that contains them matches and not only when the entire chain matches". That statement is false since it has been proven in 2.x (can't test myself in 3.x) thatsetvar
does NOT "not only when the entire chain matches".chain
withSecRuleUpdateActionById
docs so they match each other's limitations/workarounds.Docs problems of these areas exist in both 2.x and 3.x docs; sometimes similar, sometimes identical. I recommend adding some rule + rule update examples to demonstrate how to use them correctly on each 2.x and 3.x. The issue above has premade examples.
Below is one suggestion for the 3.x docs.
Example 3.x docs for
SecRuleUpdateActionById
then 3 paragraphs and 2 examples under that is another limitation
These need to be combined together. Perhaps something like