Operator failure fails open

[rcbarnett-zz]

MODSEC-12: When an operator execution fails (ie returns <0), the rule is just dropped and fails open (no interception performed).

Example debug output:
{noformat}
[4] Rule returned -1.
[1] Rule processing failed.
{noformat}

This change was introduced in 2.1.2 and may have been a bad decision on my part.

Is this really what we want now? I think it should be an option (maybe SecInterceptOnError On|Off). It should at least be documented.

[rcbarnett-zz]

Original reporter: brectanus

[rcbarnett-zz]

brectanus: See also:

https://mirror4.cvsdude.com/trac/breach/modsec/ticket/53

[rcbarnett-zz]

ivanr: We may need up to three settings:

1. Ignore errors
2. Trigger rule (and block if the rule would block) - the problem with this is that not all rules are meant to be decide whether to block or alert. A result of a rule may be needed by a subsequent rule, in which case we would miss it.
3. Stop processing with an ISE 500 (assuming we are not in DetectionOnly mode or equivalent).

We may want to investigate why rules fail, and only implement #3 if they only fail on real errors.

[rcbarnett-zz]

roysjosh: We have the same problem here - here's a patch that does #3, I think. Works for us.

[rcbarnett-zz]

rbarnett: Same issue was found when using SecRuleScript with Lua. If the script fails for some reason, it will stop the current processing phase and just to the next phase (skipping all remaining rules).

[rcbarnett-zz]

bpinto: An option was provided if an user want to skip or not a phase when a rule fails.