ctl:ruleRemoveById doesn't handle all ranges equally

[theseion]

Describe the bug

I want to remove a couple of rules conditionally with a range operation like ctl:ruleRemoveById=913100-913105. This has previously worked fine with Apache httpd 2.4 (ModSecurity v2) but does not with nginx 1.14.1. (ModSecurity v3.0.3). I have experimented with different ranges and removing the rules individually and that works mostly. But some ranges do not lead to the exclusion of some rules.

The rule I'm looking at specifically is 913103.
This does not work:

SecRule REQUEST_HEADERS:User-Agent "@beginsWith munin" \
    "id:1001,phase:request,pass,nolog,chain"
    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \
        "chain"
    SecRule REQUEST_URI "@beginsWith /nginx_status" \
        "id:1001,phase:request,pass,nolog,t:none,\
        ctl:ruleRemoveById=913102-913105"

This does work:

SecRule REQUEST_HEADERS:User-Agent "@beginsWith munin" \
    "id:1001,phase:request,pass,nolog,chain"
    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \
        "chain"
    SecRule REQUEST_URI "@beginsWith /nginx_status" \
        "id:1001,phase:request,pass,nolog,t:none,\
        ctl:ruleRemoveById=913103-913105"

Logs and dumps

Output of:

1. DebugLogs (level 9)
   This is the output I get with a the rule 913103 excluded:

[154222867534.737757] [/nginx_status] [4] Starting phase REQUEST_BODY. (SecRules 2)
[154222867534.737757] [/nginx_status] [9] This phase consists of 167 rule(s).
[154222867534.737757] [/nginx_status] [4] (Rule: 1001) Executing operator "BeginsWith" with param "/nginx_status" against REQUEST_URI.
[154222867534.737757] [/nginx_status] [9] Target value: "/nginx_status" (Variable: REQUEST_URI)
[154222867534.737757] [/nginx_status] [9] Matched vars updated.
[154222867534.737757] [/nginx_status] [4] Rule returned 1.
[154222867534.737757] [/nginx_status] [9] Running action: log
[154222867534.737757] [/nginx_status] [9] Saving transaction to logs
[154222867534.737757] [/nginx_status] [9] Running action: auditlog
[154222867534.737757] [/nginx_status] [9] Running action: nolog
[154222867534.737757] [/nginx_status] [9] Running action: ctl
[154222867534.737757] [/nginx_status] [4] Running (disruptive)     action: pass.
[154222867534.737757] [/nginx_status] [8] Running action pass
[154222867534.737757] [/nginx_status] [9] Running action: log
[154222867534.737757] [/nginx_status] [9] Saving transaction to logs
[154222867534.737757] [/nginx_status] [9] Running action: auditlog
[154222867534.737757] [/nginx_status] [9] Running action: log
[154222867534.737757] [/nginx_status] [9] Saving transaction to logs
[154222867534.737757] [/nginx_status] [9] Running action: auditlog
[154222867534.737757] [/nginx_status] [9] Running action: nolog
[154222867534.737757] [/nginx_status] [9] Running action: auditlog
[154222867534.737757] [/nginx_status] [4] Running (disruptive)     action: pass.
[154222867534.737757] [/nginx_status] [8] Running action pass
[154222867534.737757] [/nginx_status] [9] Rule id: 913103 was skipped due to a ruleRemoveById action...
[154222867534.737757] [/nginx_status] [4] (Rule: 913104) Executing operator "PmFromFile" with param "crawlers-user-agents.data" against REQUEST_HEADERS:User-Agent.

And this is the output I get when the rule isn't being excluded:

[154222993640.067514] [/nginx_status] [4] Starting phase REQUEST_BODY. (SecRules 2)
[154222993640.067514] [/nginx_status] [9] This phase consists of 167 rule(s).
[154222993640.067514] [/nginx_status] [4] (Rule: 1000) Executing operator "BeginsWith" with param "/.well-known/acme-challenge/" against REQUEST_URI.
[154222993640.067514] [/nginx_status] [9] Target value: "/nginx_status" (Variable: REQUEST_URI)
[154222993640.067514] [/nginx_status] [4] Rule returned 0.
[154222993640.067514] [/nginx_status] [9] Matched vars cleaned.
[154222993640.067514] [/nginx_status] [4] (Rule: 1001) Executing operator "BeginsWith" with param "munin" against REQUEST_HEADERS:User-Agent.
[154222993640.067514] [/nginx_status] [9] Target value: "munin/2.0.33-1 (libwww-perl/6.15)" (Variable: REQUEST_HEADERS:User-Agent)
[154222993640.067514] [/nginx_status] [9] Matched vars updated.
[154222993640.067514] [/nginx_status] [4] Rule returned 1.
[154222993640.067514] [/nginx_status] [4] Executing chained rule.
[154222993640.067514] [/nginx_status] [4] (Rule: 0) Executing operator "IpMatch" with param "127.0.0.1" against REMOTE_ADDR.
[154222993640.067514] [/nginx_status] [9] Target value: "127.0.0.1" (Variable: REMOTE_ADDR)
[154222993640.067514] [/nginx_status] [9] Matched vars updated.
[154222993640.067514] [/nginx_status] [4] Rule returned 1.
[154222993640.067514] [/nginx_status] [4] Executing chained rule.
[154222993640.067514] [/nginx_status] [4] (Rule: 1001) Executing operator "BeginsWith" with param "/nginx_status" against REQUEST_URI.
[154222993640.067514] [/nginx_status] [9] Target value: "/nginx_status" (Variable: REQUEST_URI)
[154222993640.067514] [/nginx_status] [9] Matched vars updated.
[154222993640.067514] [/nginx_status] [4] Rule returned 1.
[154222993640.067514] [/nginx_status] [9] Running action: log
[154222993640.067514] [/nginx_status] [9] Saving transaction to logs
[154222993640.067514] [/nginx_status] [9] Running action: auditlog
[154222993640.067514] [/nginx_status] [9] Running action: nolog
[154222993640.067514] [/nginx_status] [9] Running action: ctl
[154222993640.067514] [/nginx_status] [4] Running (disruptive)     action: pass.
[154222993640.067514] [/nginx_status] [8] Running action pass
[154222993640.067514] [/nginx_status] [9] Running action: log
[154222993640.067514] [/nginx_status] [9] Saving transaction to logs
[154222993640.067514] [/nginx_status] [9] Running action: auditlog
[154222993640.067514] [/nginx_status] [9] Running action: log
[154222993640.067514] [/nginx_status] [9] Saving transaction to logs
[154222993640.067514] [/nginx_status] [9] Running action: auditlog
[154222993640.067514] [/nginx_status] [9] Running action: nolog
[154222993640.067514] [/nginx_status] [9] Running action: auditlog
[154222993640.067514] [/nginx_status] [4] Running (disruptive)     action: pass.
[154222993640.067514] [/nginx_status] [8] Running action pass
[154222993640.067514] [/nginx_status] [4] (Rule: 913103) Executing operator "PmFromFile" with param "scripting-user-agents.data" against REQUEST_HEADERS:User-Agent.
[154222993640.067514] [/nginx_status] [9]  T (0) t:lowercase: "munin/2.0.33-1 (libwww-perl/6.15)"
[154222993640.067514] [/nginx_status] [9] Target value: "munin/2.0.33-1 (libwww-perl/6.15)" (Variable: REQUEST_HEADERS:User-Agent)
[154222993640.067514] [/nginx_status] [7] Added pm match TX.0: libwww-perl
[154222993640.067514] [/nginx_status] [9] Matched vars updated.
[154222993640.067514] [/nginx_status] [4] Running [independent] (non-disruptive) action: setvar
[154222993640.067514] [/nginx_status] [8] Saving variable: TX:msg with value: Found User-Agent associated with scripting/generic HTTP client
[154222993640.067514] [/nginx_status] [4] Running [independent] (non-disruptive) action: setvar
[154222993640.067514] [/nginx_status] [8] Saving variable: TX:anomaly_score with value: 5
[154222993640.067514] [/nginx_status] [4] Running [independent] (non-disruptive) action: setvar
[154222993640.067514] [/nginx_status] [8] Saving variable: TX:-OWASP_CRS/AUTOMATION/SCRIPTING-REQUEST_HEADERS:User-Agent with value: munin/2.0.33-1 (libwww-perl/6.15)
[154222993640.067514] [/nginx_status] [4] Running [independent] (non-disruptive) action: setvar
[154222993640.067514] [/nginx_status] [8] Saving variable: TX:-OWASP_CRS/AUTOMATION/SCRIPTING-REQUEST_HEADERS:User-Agent with value: munin/2.0.33-1 (libwww-perl/6.15)
[154222993640.067514] [/nginx_status] [4] Running [independent] (non-disruptive) action: setvar
[154222993640.067514] [/nginx_status] [8] Saving variable: IP:reput_block_flag with value: 1
[154222993640.067514] [/nginx_status] [4] Running [independent] (non-disruptive) action: setvar
[154222993640.067514] [/nginx_status] [8] Saving variable: IP:reput_block_reason with value: Found User-Agent associated with scripting/generic HTTP client
[154222993640.067514] [/nginx_status] [9] This rule severity is: 2 current transaction is: 255
[154222993640.067514] [/nginx_status] [9] Saving msg: Found User-Agent associated with scripting/generic HTTP client
[154222993640.067514] [/nginx_status] [4] Rule returned 1.
[154222993640.067514] [/nginx_status] [9] Running action: log
[154222993640.067514] [/nginx_status] [9] Saving transaction to logs
[154222993640.067514] [/nginx_status] [9] Running action: auditlog
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: application-multi
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: language-multi
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: platform-multi
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: attack-reputation-scripting
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: OWASP_CRS/AUTOMATION/SCRIPTING
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: WASCTC/WASC-21
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: OWASP_TOP_10/A7
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: PCI/6.5.10
[154222993640.067514] [/nginx_status] [4] Running (non-disruptive) action: tag
[154222993640.067514] [/nginx_status] [9] Rule tag: paranoia-level/2
[154222993640.067514] [/nginx_status] [9] Running action: block
[154222993640.067514] [/nginx_status] [8] Marking request as disruptive.
[154222993640.067514] [/nginx_status] [8] Running action pass
[154222993640.067514] [/nginx_status] [9] Running action: expirevar
[154222993640.067514] [/nginx_status] [4] (Rule: 913104) Executing operator "PmFromFile" with param "crawlers-user-agents.data" against REQUEST_HEADERS:User-Agent.

2. AuditLogs
   nothing interesting
3. Error logs
   nothing interesting
4. If there is a crash, the core dump file.
   none

To Reproduce

Steps to reproduce the behavior:

1. add the following block to the exclude-before file

SecRule REQUEST_HEADERS:User-Agent "@beginsWith munin" \
    "id:1001,phase:request,pass,nolog,chain"
    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \
        "chain"
    SecRule REQUEST_URI "@beginsWith /nginx_status" \
        "id:1001,phase:request,pass,nolog,t:none,\
        ctl:ruleRemoveById=913102-913105"

2. $curl -A "munin/2.0.33-1 (libwww-perl/6.15)" 127.0.0.1/nginx-status

Expected behavior
Request should not be blocked by rule 913103

Server (please complete the following information):

• ModSecurity version (and connector): ModSecurity v3.0.3 with nginx-connector master (fc061a57a8b0abda79b17cbe103d78db803fa575)
• WebServer: nginx-1.14.1
• OS (and distro): Linux, Debian 9 (stretch)

Rule Set (please complete the following information):

• Running any public or commercial rule set? OWASP CRS
• What is the version number? 302

Additional context
none

[theseion]

@victorhora Do you have any idea about what the impact of this is yet? In particular, could this affect the rules that remove ranges of rules in the OWASP CRS? If so we'll be forced to wait for a fix.

Sorry for the hassle, we're in a bit of a hurry to move our infrastructure to NGiNX and ModSecurity is currently the show stopper.

[zimmerle]

The support for ranges was added at ce3abf2. This is no longer an issue.

[theseion]

Awesome! Thanks a lot!