Re: [mod-security-users] Need suggestion about SecFilter in mod_security2
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Rya...@br...> - 2009-02-13 13:30:35
|
-----Original Message----- From: Chonanis Kongsuwan [mailto:cho...@we...] Sent: Friday, February 13, 2009 2:42 AM To: mod...@li... Subject: [mod-security-users] Need suggestion about SecFilter in mod_security2 Hello, I'm new to mod_security, now using mod_security2 with apache 2.2. Now my server is facing some kind of attack, which of course I don't want it to happen. I've found some rules to prevent attack at http://forum.mamboserver.com/showthread.php?t=26406 . But it seems to be the rules of mod_security 1. The following is example of the rules in that link. # WEB-ATTACKS /bin/sh command attempt SecFilter "/bin/sh" # WEB-ATTACKS ps command attempt SecFilterSelective THE_REQUEST "/bin/ps" # WEB-ATTACKS /bin/ps command attempt # SecFilterSelective THE_REQUEST "ps\x20" # WEB-ATTACKS wget command attempt SecFilter "wget\x20" I wonder how can I change these rules to be able to use in mod_sercurity2? [Ryan Barnett] From what you show below, you are already using the Core Rule Set that comes with ModSecurity and as it already has rules for identifying these types of command injection attacks (in the modsecurity_crs_40_generic_attacks.conf file). I searched around, and know that there is no SecFilter anymore in version 2, and it's changed to SecRule. But when I try changing all "SecFilter" into "SecRule", it still can't be used. Here is the error when I restart apache after editing the rule: Starting httpd: Syntax error on line 34 of /etc/httpd/modsecurity.d/ modsecurity_crs_35_bad_robots.conf: Invalid command 'SecFilter', perhaps misspelled or defined by a module not included in the server configuration The other question is, if I'd like to block some script name, for example check.cgi. Can I just write "SecRule check.cgi"? Or how should I do? [Ryan Barnett] Review the SecRule syntax in the reference manual - http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/html-multipage/configuration-directives.html#N108ED |