Skip to content

fix: suggest adding t:none transformation for runtime rules #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
EsadCetiner merged 1 commit into from
Jan 25, 2026
Merged

fix: suggest adding t:none transformation for runtime rules #262

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions content/2-how-crs-works/2-3-false-positives-and-tuning.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,10 @@ When using `SecRuleUpdateTargetById` and `ctl:ruleRemoveTargetById` with *chaine
There's also a third group of rule exclusion directives and actions, the use of which is discouraged. As well as excluding rules "ById" and "ByTag", it's also possible to exclude "ByMsg" (`SecRuleRemoveByMsg`, `SecRuleUpdateTargetByMsg`, `ctl:ruleRemoveByMsg`, and `ctl:ruleRemoveTargetByMsg`). This excludes rules based on the message they write to the error log. These messages can be dynamic and may contain special characters. As such, trying to exclude rules by message is difficult and error-prone.
{{% /notice %}}

{{% notice tip %}}
When creating a runtime rule exclusion, we recommend specifying the [t:none transformation](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#transformation-functions) to ensure you have full control over the behavior of an rule. See our docs on rule creation to get an overview on how a runtime rule works: https://coreruleset.org/docs/3-about-rules/creating/
{{% /notice %}}

#### Rule Tags

CRS rules typically feature multiple tags, grouping them into different categories. For example, a rule might be tagged by attack type ('attack-rce', 'attack-xss', etc.), by language ('language-java', 'language-php', etc.), and by platform ('platform-apache', 'platform-unix', etc.).
Expand Down Expand Up @@ -272,6 +276,7 @@ SecRule REQUEST_URI "@beginsWith /webapp/function.php" \
"id:1000,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=920230"
```
Expand All @@ -290,6 +295,7 @@ SecRule REQUEST_URI "@beginsWith /web_app_1/content" \
"id:1010,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveByTag=attack-sqli"
```
Expand All @@ -308,6 +314,7 @@ SecRule REQUEST_URI "@beginsWith /dynamic/new_post" \
"id:1020,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=941150;ARGS:text_input"
```
Expand All @@ -326,6 +333,7 @@ SecRule REQUEST_URI "@beginsWith /webapp/login.html" \
"id:1030,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=attack-sqli;REQUEST_COOKIES:uid"
```
Expand Down