Getting Error while implementing mod_Security rules for antispam event

prashantjadhav

Registered
Jul 11, 2013
3
0
1
cPanel Access Level
Root Administrator
Hello,

We are trying to implement below mentioned rules for mod_security aaplication and getting error as " Syntax error on line 170 of /usr/local/apache/conf/modsec2.user.conf:
ModSecurity: No action id present within the rule " where line number 170 is SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain.

Code:
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"


SecRule REQUEST_URI "dm.cgi"
SecRule REQUEST_BODY|REQUEST_URI "\.cgi\?m\=state"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg"
Regards,
Prashant
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

Unique rule IDs are mandatory for the version on Mod_Security installed on your system. You can find more information on this at:

Mod_Security Rule Changes

This includes the steps you can take to ensure rules have unique ids.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
This should fix up those rules so that modsec 2.7 is happy with them

Code:
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99001"
SecRule REQUEST_BODY "[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99002"
SecRule REQUEST_BODY "[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-][email protected][A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99003"
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99004"
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"


SecRule REQUEST_URI "dm.cgi" "id:99005"
SecRule REQUEST_BODY|REQUEST_URI "\.cgi\?m\=state" "id:99006"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd" "id:99007"
SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg" "id:99008"
 

prashantjadhav

Registered
Jul 11, 2013
3
0
1
cPanel Access Level
Root Administrator
Hello,

Thank you for your valuable update. But how we would come to know which id needs to be used like 99001, 99002. Is there any formula calculation for such ids ? Because suppose in future we want to use any mod_security rule then how will come to know the id to be used ?

Regards,
Prashant
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Technically you can use any rule ID you are not already using. There are "reserved" ranges, and it's a good idea to follow those if you can. I used this range for you:

"1–99,999 Reserved for local (internal) use. Use as you see fit, but do not use this range for rules that are distributed to others. "

See Apache Module: Security under Rules ID required in ModSecurity for further information.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
So you allow cgi script globally by adding them in main user file ?
why not using ConfigServer ModSecurity Control for this job ?
You are welcome to use a third-party application to manage your Mod_Security rules. Keep in mind that ConfigServer applications are not installed with cPanel by default. They are third-party applications that users must install on their own.

Thank you.