Description
Hi guys. I have a little proposal for modsecurity that i want to discuss with you.
Background:
I am trying to move from modsecurity 2.9 to modsecurity 3.x and found out some behaviour changes of SecRuleRemove* directives.
On modsecurity 2 SecRuleRemoveByTag and SecRuleRemoveByMsg was an regular expressions. But for 3.x behaviour of this directives changed to checking if string exact match. Based on this commentary: reasons of this change is performance issues with regular expressions. This is good enough argument from my point of view so this is fine.
But i get a little problems with SecRuleRemoveByMsg and this is base for my proposal for modsecurity:
I using OWASP ruleset. For several rules removing with SecRuleRemoveByMsg can be a problematic. In messages of this rules request or modsecurity data are used (like ${tx.real_ip} or %{TX.0}). You can check it in such rules like: 912170, 912171 or 920450..
So since modsecurity expect exactly match of strings in SecRuleRemoveByMsg, I can't remove this rules with it. Or can do that only for one ip address in case of 912170 for example.
If I going to use some other rule sets (comodo rule set is a good case), I will face same problem but with much more number of rules.
Proposal:
I suggest SecRuleRemoveByMsg logic can be changed to looking for a substring. It seems like pretty good compromise between match of string and regular expression. This change give a little more space for actions when using SecRuleRemoveByMsg directive. And as far as i can see this don't make such a big impact to performance as regular expressions.
To do that seems like no much need to be changed in modsecurity, only condition over there.
If you agreed that this idea is good enough i could try make PR.