Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Modsec Exception Rule

Discussion in 'Security' started by Solokron, Mar 13, 2007.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    850
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I have been going through the modsec documentation and I am not sure about how to accomplish this.

    The following rules help out greatly in deterring most injection exploits:

    SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
    SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
    SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
    SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

    The problem I am encountering is PHP Live uses a referrer listing in the addresses which is triggering this rule:

    /livehelp/image.php?l=phpadmin&x=1&deptid=0&pagex=http%3A//www.website.com/&unique=1173772540796
    &refer=http%3A//www.referringwebsite.com/details.asp%3FID%3D3754&text= HTTP/1.1

    How would a go about creating an exception rule to allow the rule to function as normally but ignore image.php in this case?


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Specify the page instead of making it too generic. Generic rules can get you into trouble.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    850
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I appreciate the response. Unfortunately it does not answer the question.

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,711
    Likes Received:
    96
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
  5. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    850
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice