Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Editing ModSecurity vendor rules

Discussion in 'Security' started by kshivachev, Sep 4, 2017.

  1. kshivachev

    kshivachev Member

    Joined:
    Jun 26, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Hello,

    Is there any way to edit the ModSecurity included vendor rules ? I'm using OWASP as a Vendor and I want to edit a single rule of theirs. I was not able to find a way through WHM. Is there any other way to edit such rule, for example through the command line ?

    Regards!
     
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    49
    Likes Received:
    22
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    So as to persist through updates of the rule sets the best way is not to edit them directly but to find the id of the rule you want to edit then copy the rule, change its id then add it back as a new rule.
    So, step by step...
    1. Get the id of the rule you want to change. (possibly by looking at Security Center » ModSecurity™ Tools » Hits List)
      Be careful not to edit the rules with msg "Inbound Anomaly Score", such as 949110 or 980130
      They do the blocking for all the other rules
      You will want to edit scoring rules rather than counting rules
    2. Go to Security Center » ModSecurity™ Tools » Rules List and search or filter with your rule id.
    3. Copy the contents of the rule (comments are OK too)
    4. Click the "New Rule" button
    5. Paste the contents of your copied rule
    6. Change the id of your new pasted rule
      (best to add digits to beginning or end of old id)
      (edit the msg in the rule so you recognise hits to the new rule)
      (maybe edit comment too)
      (Good time to make the functional edits to the new rule)
    7. Save the new rule (if you have syntax error or duplicate id you get error here or when you click the deploy button)
    8. Search again for the id
    9. Disable the old rule
    10. Click the "Deploy and Restart Apache" button.
     
  3. kshivachev

    kshivachev Member

    Joined:
    Jun 26, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks for the response, but unfortunately this does not fully resolve the problem. I want to disable one country code from the Risk Country codes rule (id:910100). Below you will find the full rule text and there is given only parameters which I'm not able to find and edit them.

    SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" "msg:'Client IP is from a HIGH Risk Country Location.', severity:'CRITICAL', id:1, phase:request, block, t:none, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-ip', chain"
    SecRule TX:REAL_IP "@geoLookup" "chain"
    SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" "setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}, setvar:ip.reput_block_flag=1, expirevar:ip.reput_block_flag=%{tx.reput_block_duration}, setvar:'ip.reput_block_reason=%{rule.msg}'"
     
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    49
    Likes Received:
    22
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    In that CRS rule set (the older of the 2 supplied by cPanel), the HIGH_RISK_COUNTRY_CODES is set on...
    line 194 of
    OWASP/modsecurity_crs_10_setup.conf
    It is set by the line...
    Code:
    SecAction "id:'900022', phase:request, nolog, pass, t:none, setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"
    To use WHM Interface to achieve what you want you must duplicate this SecRule/SecAction, edit it, then disable the original version.
    To do so follow my follow my previous instructions but search for the id 900022

    I tested this before I posted and can confirm it works.
     
    quizknows and cPanelMichael like this.
  5. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    49
    Likes Received:
    22
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Here is another temporary rule so you can see if you have succeeded.
    Replace the XXXs with your home computer ip address so the rule only fires for your requests.
    Add this rule through the WHM Interface as instructed in previous post.
    Deploy the changes wait for apache to restart then visit a page on your server.
    Then go to Security Center » ModSecurity™ Tools » Hits List
    to read the logs msg made by this rule.
    Code:
    # Rule to check what the high risk country codes currently are.
    # Replace Xs with your home IP address
    SecRule REMOTE_ADDR "XXX\.XX\.XXX\.XX"\
        "msg:'YOUR IP made this request. High Risk Countries are %{tx.high_risk_country_codes}.',\
        id:90002222,\
        phase:request,\
        log,\
        pass,\
        t:none"
     
    cPanelMichael likes this.
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The previous posts should help. Let us know if you have any additional questions.

    Thank you.
     
Loading...

Share This Page