Content-Type: multipart/alternative; boundary="_000_CC06A4FF52D13rbarnetttrustwavecom_" --_000_CC06A4FF52D13rbarnetttrustwavecom_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable This looks like the GotRoot/AtomicCorp rules. I would suggest that you see= k help on their forum - https://www.atomicorp.com/forums/viewforum.php?f=3D= 14 All the rules in the OWASP ModSecurity Core Rule Set (CRS) have rule ID ass= igned for reasons such as this. FYI =96 depending on your ModSecurity version, newer releases also have the= ability to disable rules based also on the msg or tag data - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=3DRefere= nce_Manual#SecRuleRemoveByMsg http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=3DRefere= nce_Manual#SecRuleRemoveByTag -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Sean Gonsman > Date: Tue, 19 Jun 2012 20:26:13 -0500 To: "mod-security-users@lists.sourceforge.net" > Subject: [mod-security-users] How to whitelist rules without an ID I am new user to mod security as we just switched to a new server with cPan= el. I=92ve been trying to configure the whitelists since there are some fa= lse positives that need to be addressed. We are running into an issue wher= e some rules have no ID or message so we can=92t whitelist them. Our web h= ost=92s solution is to disable mod security for a particular URI. This is = not ideal. It seems that most of the rules without an ID are in the file m= odsec2.user.conf and look like this (this is one that caused an issue): #PHP Injection Attack generic signature SecRule REQUEST_URI "\.php" chain SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|ac= tion|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_= location|root|page|gorumDir|site|topside|pun_root|open|seite)=3D(http|https= |ftp)\:/|(cmd|command)=3D(cd|\;|perl |killall |python |rpm |yum |apt-get |e= merge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|m= irror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient = |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|= A-Z]))" Two questions: 1.) Is there anything we can do to whitelist just this rule for a particul= ar URI or domain? 2.) Are these rules necessary as they seem like they are user added/not pa= rt of the core? [cid:image001.png@01CD4E62.5FD1F810]Thanks, -Sean ________________________________ This transmission may contain information that is privileged, confidential,= and/or exempt from disclosure under applicable law. If you are not the int= ended recipient, you are hereby notified that any disclosure, copying, dist= ribution, or use of the information contained herein (including any relianc= e thereon) is STRICTLY PROHIBITED. If you received this transmission in err= or, please immediately contact the sender and destroy the material in its e= ntirety, whether in electronic or hard copy format. --_000_CC06A4FF52D13rbarnetttrustwavecom_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
This loo= ks like the GotRoot/AtomicCorp rules.  I would suggest that you seek h= elp on their forum - https://www.atomicorp.com/forums/viewforum.php?f= =3D14

All the = rules in the OWASP ModSecurity Core Rule Set (CRS) have rule ID assigned fo= r reasons such as this.

FYI =96 = depending on your ModSecurity version, newer releases also have the ability= to disable rules based also on the msg or tag data - 

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: Sean Gonsman <sean.gonsman@abovemedia.com>
Date: Tue, 19 Jun 2012 20:26:13 -05= 00
To: "mod-security-users@lists.sourceforge.net= " <= mod-security-users@lists.sourceforge.net>
Subject: [mod-security-users] How t= o whitelist rules without an ID

I am new user to mod security as we just switched to a new = server with cPanel.  I=92ve been trying to configure the whitelists si= nce there are some false positives that need to be addressed.  We are running into an issue where some rules have = no ID or message so we can=92t whitelist them.  Our web host=92s solut= ion is to disable mod security for a particular URI.  This is not idea= l.  It seems that most of the rules without an ID are in the file modsec2.user.conf and look like this (this is one that caused = an issue):

 

#PHP Injection Attack generic signature

SecRule REQUEST_URI  "\.php" chain

SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|P= EAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat= |pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open= |seite)=3D(http|https|ftp)\:/|(cmd|command)=3D(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |i= d|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(c= p|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc= |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"

 

Two questions:

 

1.)  Is there anything we can do to whitelist just t= his rule for a particular URI or domain?

2.)  Are these rules necessary as they seem like the= y are user added/not part of the core?

 

<= area shape=3D"Rect" coords=3D"362, 0, 380, 17" href=3D"http://www.youtube.c= om/user/abovemls">Thanks,

 

-Sean

 



This transmission may contai= n information that is privileged, confidential, and/or exempt from disclosu= re under applicable law. If you are not the intended recipient, you are her= eby notified that any disclosure, copying, distribution, or use of the information contained herein (including any re= liance thereon) is STRICTLY PROHIBITED. If you received this transmission i= n error, please immediately contact the sender and destroy the material in = its entirety, whether in electronic or hard copy format.
--_000_CC06A4FF52D13rbarnetttrustwavecom_--