Skip to content

Commit ed44103

Browse files
buixorbuixor
committed
removeinbandrulebyid
1 parent 69f8b96 commit ed44103

File tree

1 file changed

+23
-7
lines changed

1 file changed

+23
-7
lines changed

crowdsec-docs/docs/appsec/rules_examples.md

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -518,11 +518,27 @@ pre_eval:
518518
#### Use Case
519519
Change a blocking rule to log-only mode for testing.
520520
521+
### 4. Disable Rules by ID
522+
523+
#### Description
524+
Disable specific rules using their unique ID during request processing.
525+
526+
#### Hook Example
527+
```yaml
528+
pre_eval:
529+
- filter: req.URL.Path == "/api/upload" && req.Method == "POST"
530+
apply:
531+
- RemoveInBandRuleByID('rule_id_123')
532+
```
533+
534+
#### Use Case
535+
Disable a specific rule by its ID for certain endpoints or conditions where the rule may cause false positives.
536+
521537
## Post-Evaluation Phase (post_eval)
522538
523539
Post-evaluation hooks run after rule evaluation is complete, primarily used for debugging and logging.
524540
525-
### 4. Debug Request Dumping
541+
### 5. Debug Request Dumping
526542
527543
#### Description
528544
Dump request details to file for debugging.
@@ -542,7 +558,7 @@ Capture full request details for forensic analysis or debugging rule behavior.
542558
543559
On-match hooks run when a rule matches, allowing you to modify the response behavior.
544560
545-
### 5. Change HTTP Response Code
561+
### 6. Change HTTP Response Code
546562
547563
#### Description
548564
Modify the HTTP status code returned to users when a rule matches.
@@ -558,7 +574,7 @@ on_match:
558574
#### Use Case
559575
Return a 413 "Payload Too Large" instead of the default 403 when a rule triggers.
560576
561-
### 6. Change Remediation Action
577+
### 7. Change Remediation Action
562578
563579
#### Description
564580
Dynamically change the remediation action from the default.
@@ -574,7 +590,7 @@ on_match:
574590
#### Use Case
575591
Show a captcha instead of blocking the request for certain rule matches.
576592
577-
### 7. Allow Specific IPs
593+
### 8. Allow Specific IPs
578594
579595
#### Description
580596
Override blocking for trusted IP addresses.
@@ -590,7 +606,7 @@ on_match:
590606
#### Use Case
591607
Allow internal/admin IPs to bypass security rules while keeping protection for others.
592608
593-
### 8. Cancel Alert Generation
609+
### 9. Cancel Alert Generation
594610
595611
#### Description
596612
Prevent alert creation while keeping the request blocked.
@@ -606,7 +622,7 @@ on_match:
606622
#### Use Case
607623
Block suspicious requests without generating alerts for known false positives.
608624
609-
### 9. Force Alert for Out-of-Band Rules
625+
### 10. Force Alert for Out-of-Band Rules
610626
611627
#### Description
612628
Generate alerts for monitoring rules that normally only log.
@@ -622,7 +638,7 @@ on_match:
622638
#### Use Case
623639
Create alerts for reconnaissance attempts detected by monitoring rules.
624640
625-
### 10. Hook Flow Control
641+
### 11. Hook Flow Control
626642
627643
#### Description
628644
Control execution of subsequent hooks with break/continue.

0 commit comments

Comments
 (0)