The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security 2.5 Rule Engine

Discussion in 'Security' started by W00LF, Apr 25, 2013.

  1. W00LF

    W00LF Member

    Joined:
    Apr 19, 2013
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    hello,
    I have couple of questions:
    1. how exactly the modsecurity work with the rules? does it read them by order of number from _crs_20 and until....? or there is other way?
    2. does modsecurity work with black list or white list?
    3. I read some where that there is negative and positive rules. what is the differences between them and what kind of rules are owasp rules?
    thank you a lot! and please I need your help as soon as possible.
    WOOLF.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. W00LF

    W00LF Member

    Joined:
    Apr 19, 2013
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not sure exactly what you mean. Can you explain it another way?
     
  5. W00LF

    W00LF Member

    Joined:
    Apr 19, 2013
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ModSecurity Advanced Topic of the Week: (Updated) Exception Handling - SpiderLabs Anterior

    in this link there is topic of "False Positives In New Environments" and the talk about FALSE POSITIVE/NEGATIVE...
    "False Positives happen with ModSecurity + CRS mainly as a by product of the fact that the rules are generic in nature. The plug-n-play nature of the CRS what makes it great, as you will get protection for just about any environment however there will be some level of FPs. This ends up being the old "80/20 rule" of security where you will instantly get coverage for about 80% of the problem. The issue then moves towards that remaining 20%. This is where the CRS runs into both false positives and false negatives as there is no way to know exactly what web application is going to be run behind it. That is why the CRS is geared towards blocking the known bad stuff and forcing some HTTP compliance. This catches the vast majority of attacks."
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That article covers the topic quite well I think. If you find something being blocked by mod_security that you feel is safe, and shouldn't be blocked, you might find this addon quite useful:
    ConfigServer ModSecurity Control
     
Loading...

Share This Page