Content-Type: multipart/alternative; boundary="_000_0B3B3187F86CBE48ABF4E401E4961DD1047B28ORD2MBX01Gmex05ml_" --_000_0B3B3187F86CBE48ABF4E401E4961DD1047B28ORD2MBX01Gmex05ml_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Ryan, Thanks for the response. Our web host got back to me with some information= that was very helpful. You can add your own id to these types of rules. = I changed: SecRule REQUEST_URI "\.php" chain To: SecRule REQUEST_URI "\.php" "chain,id:1000001" Now, I can whitelist with the following: SecRuleRemoveById 1000001 The only thing you need to be careful with is the ID. You have to make sur= e you don't duplicate any of them or Apache will have issues. [cid:image002.png@01CD4E7C.44FFD2E0]Thanks, -Sean [cid:image003.png@01CD4E7C.44FFD2E0][cid:image004.png@01CD4E7C.44FFD2E0] From: Ryan Barnett [mailto:RBarnett@trustwave.com] Sent: Tuesday, June 19, 2012 9:57 PM To: Sean Gonsman; mod-security-users@lists.sourceforge.net Subject: Re: [mod-security-users] How to whitelist rules without an ID This looks like the GotRoot/AtomicCorp rules. I would suggest that you see= k help on their forum - https://www.atomicorp.com/forums/viewforum.php?f=3D= 14 All the rules in the OWASP ModSecurity Core Rule Set (CRS) have rule ID ass= igned for reasons such as this. FYI - depending on your ModSecurity version, newer releases also have the a= bility to disable rules based also on the msg or tag data - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=3DRefere= nce_Manual#SecRuleRemoveByMsg http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=3DRefere= nce_Manual#SecRuleRemoveByTag -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Sean Gonsman > Date: Tue, 19 Jun 2012 20:26:13 -0500 To: "mod-security-users@lists.sourceforge.net" > Subject: [mod-security-users] How to whitelist rules without an ID I am new user to mod security as we just switched to a new server with cPan= el. I've been trying to configure the whitelists since there are some fals= e positives that need to be addressed. We are running into an issue where = some rules have no ID or message so we can't whitelist them. Our web host'= s solution is to disable mod security for a particular URI. This is not id= eal. It seems that most of the rules without an ID are in the file modsec2= .user.conf and look like this (this is one that caused an issue): #PHP Injection Attack generic signature SecRule REQUEST_URI "\.php" chain SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|ac= tion|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_= location|root|page|gorumDir|site|topside|pun_root|open|seite)=3D(http|https= |ftp)\:/|(cmd|command)=3D(cd|\;|perl |killall |python |rpm |yum |apt-get |e= merge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|m= irror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient = |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|= A-Z]))" Two questions: 1.) Is there anything we can do to whitelist just this rule for a partic= ular URI or domain? 2.) Are these rules necessary as they seem like they are user added/not = part of the core? [cid:image005.png@01CD4E7C.44FFD2E0]Thanks, -Sean ________________________________ This transmission may contain information that is privileged, confidential,= and/or exempt from disclosure under applicable law. If you are not the int= ended recipient, you are hereby notified that any disclosure, copying, dist= ribution, or use of the information contained herein (including any relianc= e thereon) is STRICTLY PROHIBITED. If you received this transmission in err= or, please immediately contact the sender and destroy the material in its e= ntirety, whether in electronic or hard copy format. --_000_0B3B3187F86CBE48ABF4E401E4961DD1047B28ORD2MBX01Gmex05ml_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Ryan,

 <= /p>

Thanks for the response.&= nbsp; Our web host got back to me with some information that was very helpf= ul.  You can add your own id to these types of rules.  I changed:=

 

SecRule REQUEST_URI = "\.php" chain

 <= /p>

To:

 <= /p>

SecRule REQUEST_URI = "\.php" "chain,id:1000001"

 <= /p>

Now, I can whitelist with= the following:

 <= /p>

<LocationMatch /mypage= .php>

  SecRuleRemoveById = 1000001

</LocationMatch>

 <= /p>

The only thing you need t= o be careful with is the ID.  You have to make sure you don’t du= plicate any of them or Apache will have issues.

 <= /p>

Thanks,<= o:p>

 <= /p>

-Sean

 <= /p>

From: Ryan Bar= nett [mailto:RBarnett@trustwave.com]
Sent: Tuesday, June 19, 2012 9:57 PM
To: Sean Gonsman; mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] How to whitelist rules without an = ID

 

This lo= oks like the GotRoot/AtomicCorp rules.  I would suggest that you seek = help on their forum - https://www.atomicorp.com/forums/viewforum.php?= f=3D14<= /o:p>

&n= bsp;

All the= rules in the OWASP ModSecurity Core Rule Set (CRS) have rule ID assigned f= or reasons such as this.

&n= bsp;

FYI = 211; depending on your ModSecurity version, newer releases also have the ab= ility to disable rules based also on the msg or tag data - =

&n= bsp;

--

Ryan Barnett
Trustwave SpiderLabs

ModSecurity Project Lead= er
OWASP ModSecurity CRS Project Leader

&n= bsp;

From: Sean Gonsman <sean.gonsman@abovemedia.com>
Date: Tue, 19 Jun 2012 20:26:13 -0500
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourcefo= rge.net>
Subject: [mod-security-users] How to whitelist rules without an ID

&n= bsp;

I am new user to mod securi= ty as we just switched to a new server with cPanel.  I’ve been t= rying to configure the whitelists since there are some false positives that need to be addressed.  We are running into an issue where some r= ules have no ID or message so we can’t whitelist them.  Our web = host’s solution is to disable mod security for a particular URI. = ; This is not ideal.  It seems that most of the rules without an ID are in the file modsec2.user.conf and look like this (this is one th= at caused an issue):

 

#PHP Injection Attack gener= ic signature

SecRule REQUEST_URI  &= quot;\.php" chain=

SecRule REQUEST_URI|REQUEST= _BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|= menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gor= umDir|site|topside|pun_root|open|seite)=3D(http|https|ftp)\:/|(cmd|command)= =3D(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |i= d|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(c= p|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc= |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"

 

Two questions:

 

1.)&nb= sp;   Is there anything w= e can do to whitelist just this rule for a particular URI or domain?=

2.)&nb= sp;   Are these rules nec= essary as they seem like they are user added/not part of the core?

 

Thanks,

 

-Sean

 =

 =


This transmission may contain i= nformation that is privileged, confidential, and/or exempt from disclosure = under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use= of the information contained herein (including any reliance thereon) is ST= RICTLY PROHIBITED. If you received this transmission in error, please immed= iately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

--_000_0B3B3187F86CBE48ABF4E401E4961DD1047B28ORD2MBX01Gmex05ml_--