Search code examples
mod-security

Meaning of exclamation mark in ModSecurity Rules

Can someone help explain to me what the exclamation mark does in a ModSecurity rule like this:

SecRuleUpdateTargetById 932100 "!ARGS:foo"

How can someone read and interpret "!ARGS:foo" vs "ARGS:foo" when reading and crafting that rule?

When testing the difference, the rule with the exclamation mark gives me the results I want by not applying that Rule Id when that argument is present.

I've referenced the documentation here https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#args_names and have tried to glean what I could from other examples but perhaps different wording to break it down.

Many thanks for the help!

------ edit ------
Thank you for the explanation so far.

How come the "equivalent" rule written in the BEFORE exclusions does not have the "exclamation mark"?

SecRule REQUEST_URI "@streq /my/endpoint" \
    "id:0003, \
    phase:2, \
    pass, \
    nolog, \
    ctl:ruleRemoveTargetById=931130;ARGS:foo"
Solution

  • It means “Not” and in this example is used to exclude certain arguments.

    So the following:

    SecRuleUpdateTargetById 932100 "!ARGS:foo"

    Changes rule 932100 to look at all the Targets specified in the rule except argument foo.

    This is usually done because argument foo often causes this rule to fire incorrectly. Your options are therefore to turn this rule off completely, or to exclude this argument from being checked by that rule. The latter is usually the better option as it means the rule is still in place for the other arguments and so is still proving most of its protection.

    How come the "equivalent" rule written in the BEFORE exclusions [(ctl:ruleRemoveTargetById)] does not have the "exclamation mark"?

    That is because they are not strictly “equivalent”. SecRuleUpdateTargetById updates the Target by adding to the rule, while ctl:ruleRemoveTargetById removes bits from the Target. If there was a SecRuleRemoveTargetById then they would be more equivalent, but there is not. In fact the ModSecurity Reference manual even addresses this question:

    1. ruleRemoveTargetById - since this action is used to just remove targets, users don't need to use the char ! before the target list.

    Why they decided to implement ctl:ruleRemoveTargetById instead of ctl:ruleUpdateTargetById, I can’t say.