how to use OWASP ModSecurity Core Rule Set

[dilstar]

Hi!

I have vps and i have installed the mod security from easyapache. now its showing in the whm and when i go to its configuration its showing text file to write ruleset just by copy paste.

Let me know how can i use these ruleset, just i have to copy paste all the rule set there?
or if that is not possible then how to use owasp and all other ruleset. Please guide step by step now.

thanks

 

[cPanelMichael]

Hello

I don't believe the rules provided by OWASP are intended to be copy/pasted into a Mod_Security configuration without first fine tuning them. I will leave this thread open for input from other users who may have implemented the OWASP rules.

Thank you.

 

[quizknows]

Using the OWASP rules is somewhat advanced and you should read the included documentation very carefully.

The rules are split into several files. Usually what you do is have a directory for the rules files you want to use. Some rules (protocol anomolies especially) are more prone to false positives than others.

Normally if you deploy the entire core rule set you should be prepared to troubleshoot false positives for a while until you get it tuned for your own use.

You need a basic modsec2.user.conf to call your own setup config as well as the rules you want to use. My modsec2.user.conf when I used to use the owasp rules looked like this:

SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp

SecRequestBodyAccess On

Include "/usr/local/apache/conf/OWASP/10_setup.conf"
Include "/usr/local/apache/conf/OWASP/activated_rules/*.conf
Include "/usr/local/apache/conf/OWASP/custom.conf"
Include "/usr/local/apache/conf/OWASP/exclude.conf"

Inside the /usr/local/apache/conf/OWASP/activated_rules/ directory were symlinks to the actual OWASP rules files I wanted to use. Custom.conf was for my own rules, and exclude.conf was used for whitelisting problematic rules.

 

[dilstar]

Using the OWASP rules is somewhat advanced and you should read the included documentation very carefully.

The rules are split into several files. Usually what you do is have a directory for the rules files you want to use. Some rules (protocol anomolies especially) are more prone to false positives than others.

Normally if you deploy the entire core rule set you should be prepared to troubleshoot false positives for a while until you get it tuned for your own use.

You need a basic modsec2.user.conf to call your own setup config as well as the rules you want to use. My modsec2.user.conf when I used to use the owasp rules looked like this:

SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp

SecRequestBodyAccess On

Include "/usr/local/apache/conf/OWASP/10_setup.conf"
Include "/usr/local/apache/conf/OWASP/activated_rules/*.conf
Include "/usr/local/apache/conf/OWASP/custom.conf"
Include "/usr/local/apache/conf/OWASP/exclude.conf"

Inside the /usr/local/apache/conf/OWASP/activated_rules/ directory were symlinks to the actual OWASP rules files I wanted to use. Custom.conf was for my own rules, and exclude.conf was used for whitelisting problematic rules.

i dont know much about it, but i like mod_Security i have to secure wordpress comrpomise and joomla compromise, i dont know what to do, which rules can do that, it will be really easy if i will use copy paste rules

 

[quizknows]

The atomicorp rules were great for protecting most common CMSes, but the free delayed rules are no longer available. You might consider atomicorp's paid rule set.