ModSecurity: Are rules executed by rule ID ascending order?

Question

I'm creating my custom mod-security rules and I have a question about if rule ID affects the order by which rules are executed.

My current setup is:

• I'm using mod-security version: 2.6.3-1ubuntu0.2
• my mod-security config is based on http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended (it has 5 SecRule directives - ids: 200000 - 200005)
• my rules are in a separated file /etc/apache2/conf.d/modsecurity-activated-rules.conf and they are loaded after the modsecurity config /etc/apache2/conf.d/modsecurity.conf

My rule is:

<IfModule mod_security2.c>
# block all GET requests - learning purposes only
SecRule REQUEST_METHOD "^(GET)$" \ 
    "phase:1,t:none,auditlog,block,id:1001,rev:2,tag:HARDENING"
</IfModule>

Disclamer: it's a simple rule and probably not optimal since I'm still learning. Suggestions are welcome

So, my question came to me after I analyzed the debug file (level 9 activated):

[...]
[4] Recipe: Invoking rule 7f157a85da30; [file "/etc/apache2/conf.d/modsecurity-activated-rules.conf"] [line "11"] [id "1001"] [rev "2"].
[5] Rule 7f157a85da30: SecRule "REQUEST_METHOD" "@rx ^(GET)$" "phase:1,log,t:none,auditlog,block,id:1001,rev:2,tag:HARDENING"
[4] Transformation completed in 4 usec.
[4] Executing operator "rx" with param "^(GET)$" against REQUEST_METHOD.
[9] Target value: "GET"
[6] Ignoring regex captures since "capture" action is not enabled.
[4] Operator completed in 36 usec.
[2] Warning. Pattern match "^(GET)$" at REQUEST_METHOD. [file "/etc/apache2/conf.d/modsecurity-activated-rules.conf"] [line "11"] [id "1001"] [rev "2"] [tag "HARDENING"]
[4] Rule returned 1.[04/Sep/2012:09:30:27 +0000] [107.21.159.51/sid#7f157a854510][rid#7f1573fcf0a0][/poll/13456492248275482/vote/yes][9] Match -> mode NEXT_RULE.
[4] Recipe: Invoking rule 7f157a85e648; [file "/etc/apache2/conf.d/modsecurity.conf"] [line "24"] [id "200000"].
[5] Rule 7f157a85e648: SecRule "REQUEST_HEADERS:Content-Type" "@rx text/xml" "phase:1,auditlog,id:200000,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
[4] Rule returned 0.
[9] No match, not chained -> mode NEXT_RULE.
[...]

As the debug lines shows, my rule (id:1001) was executed first before rule (id:200000), even that my rule is read after the 20000x ones.

I though that IDs don't really matter in the order of rule execution since the OWASP ModSecurity Core Rule Set https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project has rule ID between 950000 and 990000 and there is no info about rule ID ranges for specific attacks: SQLi, XSS, etc.

With the above, my questions are:

1. Are the rules execution determined by ID number (smallest number get executed first)?
2. Is there any documentation defining which rule ID ranges should be used for custom rules? I'm looking for something like:
   • Mod-security main rules: 200.000 - 200.xxx
   • OWASP ModSecurity Core Rule Set: 950.000 - 999.xxx
   • Custom rules: 1.000.000 - 9.xxx.xxx

Thanks for your time.

Answer 1

The RIGHT answer is that ModSecurity executes the rules in the order they are defined in your Apache config.

The only ordering ModSecurity applies by itself is the phase: ordering, which assures that rules will be execute by phases.

Example:

1. First execute all rules from phase:1 (in the order they are written inside the config)
2. Next execute all rules from phase:2 (in the order they are written inside the config)
3. etc...

Answer 2

ModSecurity supports two types of Rule models that are positive security model and negative security model. Negative security model support signature based detection and ordering of rules matters when you want to skip rules using skip, skipafter keyword to avoid resource intensive regex based pattern patching.Secondly order of rule based on rule id is not absolute it can be changed by the rule engine dynamically i.e. rule with phase 1 will always be executed first. I recommend a read of ModSecurity handbook a good start for beginner.Second types of Rule is positive security model in which order does not matter as counters are maintained to detect anomaly and rule are triggered if threshold are exceeded.

Answer 3

1. A rule can has not id.But if has one,at the same pahse,just like your question

   smallest number get executed first

   Only at the same phase!

2. Maybe the bussiness rule define throse ids.https://ssl.trustwave.com/web-application-firewall