From 8ba1cd85306c804be077520e098c30f2e75c335e Mon Sep 17 00:00:00 2001 From: Thibault Soubiran Date: Mon, 12 Jan 2026 18:55:59 +0100 Subject: [PATCH 1/2] feat: add a note about fine tuning chained rules --- content/2-how-crs-works/2-3-false-positives-and-tuning.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/2-how-crs-works/2-3-false-positives-and-tuning.md b/content/2-how-crs-works/2-3-false-positives-and-tuning.md index fa00a388..955bd2c4 100644 --- a/content/2-how-crs-works/2-3-false-positives-and-tuning.md +++ b/content/2-how-crs-works/2-3-false-positives-and-tuning.md @@ -122,6 +122,10 @@ The different rule exclusion types and methods are summarized in the table below This table is available as a well presented, downloadable [Rule Exclusion Cheatsheet](https://www.netnea.com/cms/rule-exclusion-cheatsheet-download) from Christian Folini. {{% /notice %}} +{{% notice note %}} +When using `SecRuleUpdateTargetById` and `ctl:ruleRemoveTargetById` with *chained rules*, target exclusions are only applied to the first rule in the chain. You can't exclude targets from other rules in the chain, you must remove the entire rule using `SecRuleRemoveById` or `ctl:ruleRemoveById`. This is a current limitation of the SecLang configuration language. +{{% /notice %}} + {{% notice note %}} There's also a third group of rule exclusion directives and actions, the use of which is discouraged. As well as excluding rules "ById" and "ByTag", it's also possible to exclude "ByMsg" (`SecRuleRemoveByMsg`, `SecRuleUpdateTargetByMsg`, `ctl:ruleRemoveByMsg`, and `ctl:ruleRemoveTargetByMsg`). This excludes rules based on the message they write to the error log. These messages can be dynamic and may contain special characters. As such, trying to exclude rules by message is difficult and error-prone. {{% /notice %}} From 816a1233caa6081e23b94daf7c0ab26e886d874a Mon Sep 17 00:00:00 2001 From: Thibault Soubiran Date: Thu, 15 Jan 2026 21:02:30 +0100 Subject: [PATCH 2/2] chore: address comment --- content/2-how-crs-works/2-3-false-positives-and-tuning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/2-how-crs-works/2-3-false-positives-and-tuning.md b/content/2-how-crs-works/2-3-false-positives-and-tuning.md index 955bd2c4..3c7ea7f2 100644 --- a/content/2-how-crs-works/2-3-false-positives-and-tuning.md +++ b/content/2-how-crs-works/2-3-false-positives-and-tuning.md @@ -123,7 +123,7 @@ This table is available as a well presented, downloadable [Rule Exclusion Cheats {{% /notice %}} {{% notice note %}} -When using `SecRuleUpdateTargetById` and `ctl:ruleRemoveTargetById` with *chained rules*, target exclusions are only applied to the first rule in the chain. You can't exclude targets from other rules in the chain, you must remove the entire rule using `SecRuleRemoveById` or `ctl:ruleRemoveById`. This is a current limitation of the SecLang configuration language. +When using `SecRuleUpdateTargetById` and `ctl:ruleRemoveTargetById` with *chained rules*, target exclusions are only applied to the first rule in the chain. You can't exclude targets from other rules in the chain, depending on how the rule is written, you may have to remove the entire rule using `SecRuleRemoveById` or `ctl:ruleRemoveById`. This is a current limitation of the SecLang configuration language. {{% /notice %}} {{% notice note %}}