ModSecurity Auto Updater

[Secmas]

why not to make it more automated with downloading the latest rules directly

http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz

and ignore the date based url .

I have an automatic autoupdater for the ones that kindly donate in my site.

But among the posts that are in this thread, someone wrote a modification to convert my autoupdater in automatic.

Sergio

 

[nzpli]

Hi Sergio

Thanks for your tip via configserver forum re asl rules at ModSec Taylor Made and Tweaks by Sergio

I installed the rules and rebooted apache, and that went well

Through ConfigServer ModSecurity Control, I went had a look at the log

Bit concerned about the searchengines rule - results below

www.website1.co.nz 66.249.74.94 303800 [31/Oct/2013:17:37:58 +1300]
Match of "endsWith .googlebot.com" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "64"] [id "303800"] [rev "3"] [msg "Atomicorp.com WAF Rules: Fake Googlebot webcrawler"]

www.website2.co.nz 66.249.74.188 303800 [31/Oct/2013:17:35:10 +1300]
Match of "endsWith .googlebot.com" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "64"] [id "303800"] [rev "3"] [msg "Atomicorp.com WAF Rules: Fake Googlebot webcrawler"]

www.website1.co.nz 157.55.32.112 303801 [31/Oct/2013:17:33:11 +1300]
Match of "rx (^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\\.search\\.msn\\.com$)" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "79"] [id "303801"] [rev "6"] [msg "Atomicorp.com WAF Rules: Fake msnbot/bingbot webcrawler"]

www.website3.com 199.21.99.70 303808 [31/Oct/2013:17:37:55 +1300]
Match of "rx (\\.yandex\\.(?:ru|com|net)$)" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "164"] [id "303808"] [rev "1"] [msg "Atomicorp.com WAF Rules: Fake Yandex webcrawler."]

the above all to me seem legit - IP's as expected for those search engines

I changed the modsec2.user.conf back to what it was, cause I dont need those search engines blocked

What has been your experience?

thanks
Peter

 

[quietFinn]

I changed the modsec2.user.conf back to what it was, cause I dont need those search engines blocked

What has been your experience?

I suggest you just exclude that rules file (00_asl_y_searchengines.conf).

 

[nzpli]

I suggest you just exclude that rules file (00_asl_y_searchengines.conf).

Thanks: Do you mean removing the rule, or is there a way of excluding it?

Peter

 

[quietFinn]

The file is included when you have line like this in modsec2.user.conf

Include /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf

if you change it to:

# Include /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf

i.e. "comment it out", the file is excluded.

 

[nzpli]

I dont have that in my file

I followed ModSec Taylor Made and Tweaks by Sergio and the original modsec2.user.conf had only the following in it
Include /usr/local/apache/conf/modsec2.whitelist.conf

so now I have just
# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

can I use say
Ignore /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf

will that work?

Peter

 

[quietFinn]

so now I have just
# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

Ok with that kind of configuration you just delete the file 00_asl_y_searchengines.conf

can I use say
Ignore /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf

will that work?

Nope.

 

[nzpli]

thanks - help appreciated

 

[WhiteDog]

As the free GotRoot feed is no longer available, I dediced to revert towards the Trustwave Paid Ruleset. I am also working on a free cPanel/WHM plugin to download, install and manage the Trustwave Ruleset. If anyone is using them and is interested to try this plugin just send me a DM.

 

[texo]

@WhiteDog that sounds very interesting. Will this work with the Configserver ModSec manager we have installed, to update the rulesets?

 

[WhiteDog]

@WhiteDog that sounds very interesting. Will this work with the Configserver ModSec manager we have installed, to update the rulesets?

The plugin is mainly to download the updated files daily and make it "easy" for us to implement this. I'm sure many of you hate creating bash scripts, configuring cron jobs and "testing" half done solutions as much as I do That is the reason I create plugins for things.

So all you have to do is install the plugin, enter your Trustwave serial and select your desired options and rulesets. A cron job set up by the plugin will then download the updates and activate them.

So yes this will work with CSF ModSec Manager, the plugin will just create it's own modsec conf file there and insert a one-liner in your user.conf to activate them. ModSec will pick this up.

My goal towards all of you is to make things easier and understandable. The plugin is nearly finished. I'm at the moment talking to the fine people of Trustwave to get some basic support and "best practices". I can share some screenshots though, please see attachments.

PS: the plugin is pretty "universal" and can be modified to download any other rulesets out there if needed.