There are three aspects of the ModSecurity Rule Language we are not very happy with. One comes from a wrong design decision (my own), with further two from constraints of working within the framework of Apache. All three break the principle of the intuitive action being the expected one. I am going to document them here and explain how we are planning to mitigate them in future versions:
SecRule T1 K1 chain,log,block,setvar:tx.counter=+1In the example above the counter will be incremented if the first rule matches even if the chain doesn't. The blocking action, although defined with the same rule, would only be processed if both the first rule and the second rule match.
SecRule T2 K2
SecDefaultAction
is valid only for the configuration context in which it is used and is not inherited in child contexts. Configuration contexts are an Apache feature and they come with limitations, one of which is causing this problem.
SecDefaultAction log,denyIn the above example, the first rule blocks, but the second one just uses the ModSecurity defaults and only warns and lets requests through.
SecRule T1 K1
<Location /some/other/path>
SecRule T2 K2
</Location>
SecDefaultAction
directive might be made obsolete in the next major version because we don't like it much. In retrospective, it was a wrong choice too. It is good practice to write rules to be self-contained. That way they will be easier to understand and maintain, and you don't risk configuration errors due to something being changed in the configuration elsewhere.<VirtualHost>
cannot hold phase 1 rules. Again, this is a limitation of the current implementation that relies on Apache for configuration functionality.