Why is SecDefaultAction defined twice by default?

31 views
Skip to first unread message

Andrew Howe

unread,
Apr 12, 2021, 1:34:14 PM4/12/21
to modsecurity-core...@owasp.org
Hi everyone,

I'm trying to understand part of the default configuration in
"crs-setup.conf.example".

In the section "Mode of Operation", which defines the default action
list, it states that:
"...you must specify the same line for phase:1 and phase:2."

The default, uncommented option is:
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

Why is the SecDefaultAction directive defined twice? Doesn't the
second definition immediately override the first definition? If so,
why keep the first, "phase:1" directive?

Alternatively, is there something going on here with configuration
contexts/inheritance? I can't quite see it.

Any help would be greatly appreciated!

Thanks,
Andrew

--

Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064

Christian Folini

unread,
Apr 12, 2021, 4:45:47 PM4/12/21
to Andrew Howe, modsecurity-core...@owasp.org
Hey Andrew,

ModSecurity keeps a _separate_ default action for the different phases.
The important bit here is that the disruptive action is defined as pass (vs
deny).

Best,

Christian
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CADi1syBaXrC7tC%2BUiDKc7ZakTZA29KLFz2GtrmDyJyjAq2pGZA%40mail.gmail.com.

Andrew Howe

unread,
Apr 13, 2021, 6:39:02 AM4/13/21
to Christian Folini, modsecurity-core...@owasp.org
Hi Christian,

A-hah, that makes a lot of sense, now.

Thanks for your help!

Thanks,
Andrew


On Mon, 12 Apr 2021 at 21:45, Christian Folini
<christia...@netnea.com> wrote:
>
> Hey Andrew,
>
> ModSecurity keeps a _separate_ default action for the different phases.
> The important bit here is that the disruptive action is defined as pass (vs
> deny).
>
> Best,
>
> Christian
>

Christian Folini

unread,
Apr 13, 2021, 7:03:58 AM4/13/21
to Andrew Howe, modsecurity-core...@owasp.org
On Tue, Apr 13, 2021 at 11:38:45AM +0100, Andrew Howe wrote:
> Hi Christian,
>
> A-hah, that makes a lot of sense, now.
>
> Thanks for your help!

You are most welcome. Good luck!

Christian
Reply all
Reply to author
Forward
0 new messages