Editing ModSecurity vendor rules

[kshivachev]

Hello,

Is there any way to edit the ModSecurity included vendor rules ? I'm using OWASP as a Vendor and I want to edit a single rule of theirs. I was not able to find a way through WHM. Is there any other way to edit such rule, for example through the command line ?

Regards!

 

[fuzzylogic]

So as to persist through updates of the rule sets the best way is not to edit them directly but to find the id of the rule you want to edit then copy the rule, change its id then add it back as a new rule.
So, step by step...

1. Get the id of the rule you want to change. (possibly by looking at Security Center » ModSecurity™ Tools » Hits List)
   Be careful not to edit the rules with msg "Inbound Anomaly Score", such as 949110 or 980130
   They do the blocking for all the other rules
   You will want to edit scoring rules rather than counting rules
   
2. Go to Security Center » ModSecurity™ Tools » Rules List and search or filter with your rule id.
3. Copy the contents of the rule (comments are OK too)
4. Click the "New Rule" button
5. Paste the contents of your copied rule
   
6. Change the id of your new pasted rule
   (best to add digits to beginning or end of old id)
   (edit the msg in the rule so you recognise hits to the new rule)
   (maybe edit comment too)
   (Good time to make the functional edits to the new rule)
   
7. Save the new rule (if you have syntax error or duplicate id you get error here or when you click the deploy button)
8. Search again for the id
9. Disable the old rule
10. Click the "Deploy and Restart Apache" button.

 

[kshivachev]

Hello,

Thanks for the response, but unfortunately this does not fully resolve the problem. I want to disable one country code from the Risk Country codes rule (id:910100). Below you will find the full rule text and there is given only parameters which I'm not able to find and edit them.

SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" "msg:'Client IP is from a HIGH Risk Country Location.', severity:'CRITICAL', id:1, phase:request, block, t:none, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-ip', chain"
SecRule TX:REAL_IP "@geoLookup" "chain"
SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" "setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}, setvar:ip.reput_block_flag=1, expirevar:ip.reput_block_flag=%{tx.reput_block_duration}, setvar:'ip.reput_block_reason=%{rule.msg}'"

 

[fuzzylogic]

In that CRS rule set (the older of the 2 supplied by cPanel), the HIGH_RISK_COUNTRY_CODES is set on...
line 194 of
OWASP/modsecurity_crs_10_setup.conf
It is set by the line...

SecAction "id:'900022', phase:request, nolog, pass, t:none, setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"

To use WHM Interface to achieve what you want you must duplicate this SecRule/SecAction, edit it, then disable the original version.
To do so follow my follow my previous instructions but search for the id 900022

I tested this before I posted and can confirm it works.

 

[fuzzylogic]

Here is another temporary rule so you can see if you have succeeded.
Replace the XXXs with your home computer ip address so the rule only fires for your requests.
Add this rule through the WHM Interface as instructed in previous post.
Deploy the changes wait for apache to restart then visit a page on your server.
Then go to Security Center » ModSecurity™ Tools » Hits List
to read the logs msg made by this rule.

# Rule to check what the high risk country codes currently are.
# Replace Xs with your home IP address
SecRule REMOTE_ADDR "XXX\.XX\.XXX\.XX"\
    "msg:'YOUR IP made this request. High Risk Countries are %{tx.high_risk_country_codes}.',\
    id:90002222,\
    phase:request,\
    log,\
    pass,\
    t:none"

 

[cPanelMichael]

Hello,

The previous posts should help. Let us know if you have any additional questions.

Thank you.