Yes, however you will want to probably keep your base/main config file.
On 10/26/10 4:53 PM, "robert mena" <firstname.lastname@example.org> wrote:
> Hi Ryan,
> I've downloaded the latest pack. Do you recommend for me to remove all
> the /etc/httpd/modsecurity.d/base_rules/ rules and replace with the
> modsecurity-crs_2.0.8/base_rules ?
This is the one that you have customized for the SecAuditEngine, Debug Log
Robert - read the README and the comments in the
> I've noticed that in the action they all have the pass. should I change to
> something else?
modsecurity_crs_10_config.conf file. The CRS currently runs in an anomaly
scoring mode. Yes, the individual rules are set to pass, however that is
because they are all contributing to an anomaly score that is then evaluated
at the end of the request phase (in the
modsecurity_crs_49_inbound_blocking.conf file). Set the appropriate
levels/actions if the 10 config file and you should be good.
> On Tue, Oct 26, 2010 at 12:29 PM, Ryan Barnett <RBarnett@trustwave.com> wrote:
>> On 10/26/10 12:22 PM, "robert mena" <email@example.com> wrote:
>>> I noticed that mod_security comes with some rules for sql_injection but they
>>> seem to only generate warning out of the box so we can decide and active the
>>> correct ones by replacing the pass with drop (for example), right?
>> While there is a version of the Core Rule Set (CRS) that is bundled with the
>> modsecurity source archive, it is highly recommended that you using the
>> current version from over at the OWASP Project site -
>> You can read a bit on the Setup/Documentation tabs for data. I would also
>> recommend that you sign up for the OWASP CRS mail-list to stay up-to-date on
>> rule updates and to ask rule-related questions there -
>>> I've searched the FAQs and tried to search the web (and the archives) for a
>>> set of trusted rules to activate before having to dig too much in the log
>>> If possible I'd like a few pointers to 'jump-start' my setup.