Getting Error while implementing mod_Security rules for antispam event

prashantjadhav · Jul 11, 2013

Hello,

We are trying to implement below mentioned rules for mod_security aaplication and getting error as " Syntax error on line 170 of /usr/local/apache/conf/modsec2.user.conf:
ModSecurity: No action id present within the rule " where line number 170 is SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain.

Code:

SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"


SecRule REQUEST_URI "dm.cgi"
SecRule REQUEST_BODY|REQUEST_URI "\.cgi\?m\=state"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg"

Regards,
Prashant

cPanelMichael · Jul 11, 2013

Hello

Unique rule IDs are mandatory for the version on Mod_Security installed on your system. You can find more information on this at:

Mod_Security Rule Changes

This includes the steps you can take to ensure rules have unique ids.

Thank you.

quizknows · Jul 12, 2013

This should fix up those rules so that modsec 2.7 is happy with them

Code:

SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99001"
SecRule REQUEST_BODY "[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99002"
SecRule REQUEST_BODY "[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99003"
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99004"
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"


SecRule REQUEST_URI "dm.cgi" "id:99005"
SecRule REQUEST_BODY|REQUEST_URI "\.cgi\?m\=state" "id:99006"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd" "id:99007"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg" "id:99008"

prashantjadhav · Jul 13, 2013

Hello,

Thank you for your valuable update. But how we would come to know which id needs to be used like 99001, 99002. Is there any formula calculation for such ids ? Because suppose in future we want to use any mod_security rule then how will come to know the id to be used ?

Regards,
Prashant

quizknows · Jul 13, 2013

Technically you can use any rule ID you are not already using. There are "reserved" ranges, and it's a good idea to follow those if you can. I used this range for you:

"1–99,999 Reserved for local (internal) use. Use as you see fit, but do not use this range for rules that are distributed to others. "

See Apache Module: Security under Rules ID required in ModSecurity for further information.

prashantjadhav · Jul 15, 2013

Hello,

Thanks quizknows. It helped me a lot.

- - - Updated - - -

Hello,

Thanks quizknows. It helped me a lot.

inthukha · Jul 18, 2013

So you allow cgi script globally by adding them in main user file ?
why not using ConfigServer ModSecurity Control for this job ?

cPanelMichael · Jul 18, 2013

inthukha said:
So you allow cgi script globally by adding them in main user file ?
why not using ConfigServer ModSecurity Control for this job ?

You are welcome to use a third-party application to manage your Mod_Security rules. Keep in mind that ConfigServer applications are not installed with cPanel by default. They are third-party applications that users must install on their own.

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
	I've been getting Cron /usr/share/clamav/freshclam-sleep errors for weeks now on lots of servers	Security	8	Feb 17, 2022
J	auto SSL one of my subdomains but getting an error	Security	1	Jan 6, 2022
V	Getting SERVFAIL error for one domain	Security	9	Apr 24, 2020
A	getting error while redirecting my website form http to https. i already tryied all htaccess methods.	Security	1	Oct 17, 2019
	Trying run auto SSL and keep getting this error	Security	1	Aug 17, 2017

Search

Search

Getting Error while implementing mod_Security rules for antispam event

prashantjadhav

Registered

cPanelMichael

Administrator

quizknows

Well-Known Member

prashantjadhav

Registered

quizknows

Well-Known Member

prashantjadhav

Registered

inthukha

Well-Known Member

cPanelMichael

Administrator