The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsecurity Exclusion

Discussion in 'Security' started by egsi, Sep 9, 2010.

  1. egsi

    egsi Member

    Joined:
    Aug 12, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I keep getting false positives with the following rule:
    Code:
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"
    I would like to exclude it as per the following:
    Code:
    <LocatationMatch "/forum/showthread.php">
        SecRuleRemoveById 950801
    </LocatationMatch> 
    Just wondering where exactly I put the above code?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There's a great tool available for micro managing accounts and modsec rules like this called CMC you might be interested in:
    ConfigServer ModSecurity Control
     
  3. egsi

    egsi Member

    Joined:
    Aug 12, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for that.

    However it doesn't seem to allow excluding rules using the "LocatationMatch" directive.

    Only to exclude the rule globally, per account or on a per domain basis.

    Just did a bit of reading on the modsecurity website and it seems I need to create a separate file and place the directive in that file. And then make a call to that file. Just not 100% sure on how to do that.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Actually is does exactly what you seek, almost. When you want to disable a rule for a single account using CMC, it's added to a file thats created here:
    /usr/local/apache/conf/userdata/std/2/accountname/modsec.conf

    And once added, if you look at that file you see this:

    <LocationMatch .*>
    SecRuleRemoveById 950801
    </LocationMatch>

    You could certainly add that file and edit it to your needs, and add the line to call it etc, but what's been suggested is far easier.

    If you're looking for an easy way to handle this. :)

    GL!
     
  5. egsi

    egsi Member

    Joined:
    Aug 12, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for that. Looks like either way I'll have. To do some manual tweaking.

    Will post back with any success / failures!
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious, what are you hoping to have by bypassing this?
    "/forum/showthread.php">
     
    #6 Infopro, Sep 11, 2010
    Last edited: Sep 11, 2010
  7. egsi

    egsi Member

    Joined:
    Aug 12, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I'm getting false positives in relation to rule ID 950801.

    Hence want to exclude it for instances involving the above (instead of disabling entirely).
     
Loading...

Share This Page