There's a big drawback with mod_security, in that you cannot disable a single or specific set of rules on a per vhost basis. All you can do is disable all rules for that vhost, and then specify an alternative set.

Under some circumstances this is fine. But in my case it is a headache because there's on particular rule that I need to diable for one particular vhost. It does not appeat to be a particularly important rule - it is marked as experimental, so to keep life simple I'm simply commenting it out for all sites.

But because Mike seems to be updating his rules on gotroot on an almost daily basis, and each time a new ruleset is published I manually download it, edit it to comment out that rule, then get mod_sec to use the new ruleset.

The rouble is that I want to automate the process, and obviously I can't do so because of this.

So I'm looking for solutions here: Is there an easy way, via a shell script, to automate the process of looking at a file, and deleting a particular string (i.e. the rule in question)? I expect I could put together a php file to do so, but what I'm really looking for is a magic program solution that uses standard shell commands/progs. sort of "cat rules.conf > magicprogram "string containing the rule I want to remove > name-of-file-for-modified-rules

In this way I could either apply this to to the global rules file, or, use the full set of rules for the server in general, and use the modified sulser for the individual vhost that needs that rule removed.


[thinking outloud mode]
Of course the ideal solution would be for mod_security to have a mechanism for disabling particular rules. The only reliable way I can see of doing this is via an optional numbered or named rule system that would work in a way similar to the chain command.

So in the rules definitions, you'd have something like this

RuleByName xss-ruleX chain
[normal rule syntax]

Then in for a particular vhost or location, being allowed to issue something like:
IgnoreRule xss-ruleX

To make it compatible with older rulesets, I suppose this would require a special comment type, where #RuleByName and #IgnoreRule would not be treated as a comment but as a special command (adding two ## would really comment them out). Thus those users not using a version of mod_security that has these new features would still be able to use the rules without modification.

Hmmm....
[/thinking outloud mode]

Faris.

Glad you asked Faris.

We're adding a solution for this to the ASL channel shortly. It will allow you to exclude rules for vhosts, etc. and to do it with fully automated installation of new rules.

Most excellent. I look forward to seeing it. You guys are mind readers.

Faris.