Thread: [mod-security-users] modsecurity_crs_15_customrules.conf
Brought to you by:
victorhora,
zimmerletw
From: Ronnie A. <ron...@gm...> - 2009-04-28 09:17:01
|
Hi, I am having troubles with this file: modsecurity_crs_15_customrules.conf My understanding was all I need to do is to put this file in the directory where modsecurity configuration files are, and that will allow me to submit rules to whitelist. I run the following to see where I should create the file: === root@zion [/usr/local/apache/conf]# cat httpd.conf |grep mods Include "/usr/local/apache/conf/modsec2.conf" === Then I check it out: ==== root@zion [/usr/local/apache/conf]# cat modsec2.conf LoadFile /opt/xml2/lib/libxml2.so LoadFile /opt/lua/lib/liblua.so LoadModule security2_module modules/mod_security2.so <IfModule mod_security2.c> SecRuleEngine On # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf # "Add the rules that will do exactly the same as the directives" # SecFilterCheckURLEncoding On # SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug_log SecDebugLogLevel 0 SecDefaultAction "phase:2,deny,log,status:406" SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow Include "/usr/local/apache/conf/modsec2.user.conf" Include /usr/local/apache/conf/modsec/00_asl_rbl.conf Include /usr/local/apache/conf/modsec/00_asl_whitelist.conf Include /usr/local/apache/conf/modsec/05_asl_exclude.conf Include /usr/local/apache/conf/modsec/05_asl_scanner.conf Include /usr/local/apache/conf/modsec/10_asl_antimalware.conf Include /usr/local/apache/conf/modsec/10_asl_rules.conf Include /usr/local/apache/conf/modsec/20_asl_useragents.conf Include /usr/local/apache/conf/modsec/30_asl_antimalware.conf Include /usr/local/apache/conf/modsec/30_asl_antispam.conf Include /usr/local/apache/conf/modsec/40_asl_apache2-rules.conf Include /usr/local/apache/conf/modsec/50_asl_rootkits.conf Include /usr/local/apache/conf/modsec/60_asl_recons.conf Include /usr/local/apache/conf/modsec/99_asl_exclude.conf Include /usr/local/apache/conf/modsec/99_asl_jitp.conf Include /usr/local/apache/conf/modsec/trusted-domains.conf ==== i can't see modsecurity_crs_15_customrules.conf, but from the documentation it seems all I need to do is to just create the file and enter the exceptions there, without even adding it to the modsec2.conf file. But it's not working. Any ideas? |
From: Ronnie A. <ron...@gm...> - 2009-04-28 09:29:52
|
Ahh....I see I needed this in my conf: <IfModule security2_module> Include conf/rules/*.conf </IfModule> Doh! On Tue, Apr 28, 2009 at 7:16 PM, Ronnie Adamowicz <ron...@gm...>wrote: > Hi, > > I am having troubles with this file: modsecurity_crs_15_customrules.conf > > My understanding was all I need to do is to put this file in the directory > where modsecurity configuration files are, and that will allow me to submit > rules to whitelist. > > I run the following to see where I should create the file: > > === > root@zion [/usr/local/apache/conf]# cat httpd.conf |grep mods > Include "/usr/local/apache/conf/modsec2.conf" > === > > Then I check it out: > > ==== > root@zion [/usr/local/apache/conf]# cat modsec2.conf > > LoadFile /opt/xml2/lib/libxml2.so > LoadFile /opt/lua/lib/liblua.so > LoadModule security2_module modules/mod_security2.so > <IfModule mod_security2.c> > SecRuleEngine On > # See > http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf > # "Add the rules that will do exactly the same as the directives" > # SecFilterCheckURLEncoding On > # SecFilterForceByteRange 0 255 > SecAuditEngine RelevantOnly > SecAuditLog logs/modsec_audit.log > SecDebugLog logs/modsec_debug_log > SecDebugLogLevel 0 > SecDefaultAction "phase:2,deny,log,status:406" > > SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow > Include "/usr/local/apache/conf/modsec2.user.conf" > > Include /usr/local/apache/conf/modsec/00_asl_rbl.conf > Include /usr/local/apache/conf/modsec/00_asl_whitelist.conf > Include /usr/local/apache/conf/modsec/05_asl_exclude.conf > Include /usr/local/apache/conf/modsec/05_asl_scanner.conf > Include /usr/local/apache/conf/modsec/10_asl_antimalware.conf > Include /usr/local/apache/conf/modsec/10_asl_rules.conf > Include /usr/local/apache/conf/modsec/20_asl_useragents.conf > Include /usr/local/apache/conf/modsec/30_asl_antimalware.conf > Include /usr/local/apache/conf/modsec/30_asl_antispam.conf > Include /usr/local/apache/conf/modsec/40_asl_apache2-rules.conf > Include /usr/local/apache/conf/modsec/50_asl_rootkits.conf > Include /usr/local/apache/conf/modsec/60_asl_recons.conf > Include /usr/local/apache/conf/modsec/99_asl_exclude.conf > Include /usr/local/apache/conf/modsec/99_asl_jitp.conf > Include /usr/local/apache/conf/modsec/trusted-domains.conf > ==== > > i can't see modsecurity_crs_15_customrules.conf, but from the documentation > it seems all I need to do is to just create the file and enter the > exceptions there, without even adding it to the modsec2.conf file. > > But it's not working. > > Any ideas? > > > |
From: Christian B. <ch...@jw...> - 2009-04-28 09:33:54
|
Ronnie Adamowicz wrote: > Hi, > > I am having troubles with this file: modsecurity_crs_15_customrules.conf > > My understanding was all I need to do is to put this file in the directory > where modsecurity configuration files are, and that will allow me to submit > rules to whitelist. > > I run the following to see where I should create the file: > > === > root@zion [/usr/local/apache/conf]# cat httpd.conf |grep mods > Include "/usr/local/apache/conf/modsec2.conf" > === > > Then I check it out: > > ==== > root@zion [/usr/local/apache/conf]# cat modsec2.conf > > LoadFile /opt/xml2/lib/libxml2.so > LoadFile /opt/lua/lib/liblua.so > LoadModule security2_module modules/mod_security2.so > <IfModule mod_security2.c> > SecRuleEngine On > # See > http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf > # "Add the rules that will do exactly the same as the directives" > # SecFilterCheckURLEncoding On > # SecFilterForceByteRange 0 255 > SecAuditEngine RelevantOnly > SecAuditLog logs/modsec_audit.log > SecDebugLog logs/modsec_debug_log > SecDebugLogLevel 0 > SecDefaultAction "phase:2,deny,log,status:406" > > SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow > Include "/usr/local/apache/conf/modsec2.user.conf" > > Include /usr/local/apache/conf/modsec/00_asl_rbl.conf > Include /usr/local/apache/conf/modsec/00_asl_whitelist.conf > Include /usr/local/apache/conf/modsec/05_asl_exclude.conf > Include /usr/local/apache/conf/modsec/05_asl_scanner.conf > Include /usr/local/apache/conf/modsec/10_asl_antimalware.conf > Include /usr/local/apache/conf/modsec/10_asl_rules.conf > Include /usr/local/apache/conf/modsec/20_asl_useragents.conf > Include /usr/local/apache/conf/modsec/30_asl_antimalware.conf > Include /usr/local/apache/conf/modsec/30_asl_antispam.conf > Include /usr/local/apache/conf/modsec/40_asl_apache2-rules.conf > Include /usr/local/apache/conf/modsec/50_asl_rootkits.conf > Include /usr/local/apache/conf/modsec/60_asl_recons.conf > Include /usr/local/apache/conf/modsec/99_asl_exclude.conf > Include /usr/local/apache/conf/modsec/99_asl_jitp.conf > Include /usr/local/apache/conf/modsec/trusted-domains.conf > ==== > > i can't see modsecurity_crs_15_customrules.conf, but from the documentation > it seems all I need to do is to just create the file and enter the > exceptions there, without even adding it to the modsec2.conf file. > Are you referring to the documentation of ModSecurity, which includes the core-rules? Or are you referring to the got-root rules? IIRC, the core-rules are set up by including the entire core-rules directory, e.g. Include /etc/apache2/core-rules/*.conf Doing so, will of course result in a file "modsecurity...15_customrules.conf" to be inclduded. However, if you start your config based on something completely different (i.e. the gotroot-rules) then you might not be suprised if hints from other documentations will not produce the result your expecting :-) As you can see in the configuration you submitted, all Include directives are referencing absolute files, without any wildcards. There is no chance of these Include-directives hitting your modsecurity...15_customrules.conf So you'd need to Include the file directly by adding another include-line like Include /usr/local/apache/conf/modsec/modsecurity_crs_15_customrules.conf or put your exceptions into "/usr/local/apache/conf/modsec2.user.conf" or whereever your rule-set advices you to put them. Regards, Chris |