Modsec Exception Rule

[Solokron]

I have been going through the modsec documentation and I am not sure about how to accomplish this.

The following rules help out greatly in deterring most injection exploits:

SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

The problem I am encountering is PHP Live uses a referrer listing in the addresses which is triggering this rule:

/livehelp/image.php?l=phpadmin&x=1&deptid=0&pagex=http%3A//www.website.com/&unique=1173772540796
&refer=http%3A//www.referringwebsite.com/details.asp%3FID%3D3754&text= HTTP/1.1

How would a go about creating an exception rule to allow the rule to function as normally but ignore image.php in this case?


Thanks!

[ramprage]

Specify the page instead of making it too generic. Generic rules can get you into trouble.

[Solokron]

I appreciate the response. Unfortunately it does not answer the question.

Specify the page instead of making it too generic. Generic rules can get you into trouble.

[sparek-3]

Have a look at this thread:

http://forums.cpanel.net/showthread.php?t=56518

See if that is what you are after.

[Solokron]

That is exactly what I was looking for. Thank you Sparek-3.

Have a look at this thread:

http://forums.cpanel.net/showthread.php?t=56518

See if that is what you are after.