Need Modsecurity whitelist help for OpenX, can't find right ID?

aarondwyer

Well-Known Member
Verifed Vendor
Mar 26, 2005
73
0
156
Brisbane
cPanel Access Level
Root Administrator
Hi

Modsecurity is blocking the OpenX ad management system from displaying ads on one of my accounts.

I need help identifying what modsecurity rule to exclude.

From /etc/httpd/logs/error_log

Code:
[Tue Jan 18 13:24:50 2011] [error] [client 211.30.165.234] ModSecurity: Access d
enied with code 500 (phase 2). Pattern match "\\.php\\?.*loc=(http|https|ftp)\\:
\\/" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "30
2"] [hostname "domain.com"] [uri "/ads/www/delivery/spc.php"] [unique_id "T
TUIAkg03YoAACviTToAAAAV"]
I know I can add a file /usr/local/apache/conf/userdata/std/2/domain/domain.com/whitelist.conf

With this in it.

Code:
<LocationMatch "/ads/www/delivery/spc.php">
  SecRuleRemoveById ?????????
</LocationMatch>
But I don't know what the corresponding modsecurity ID has been triggered, so where I have ???????? question marks I need an ID.

Does anyone know how to find this information if the error_log file doesn't specify it.

Thanks
Aaron
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Are you using an old version of modsec2.user.conf? Those rules should be providing ID numbers. I suppose you could check line 302 in that file to see what it says. No way of knowing from here though, my modsec2.user.conf seems to be different than yours.

WHM > Plugins > Mod Security > Edit Config
 

aarondwyer

Well-Known Member
Verifed Vendor
Mar 26, 2005
73
0
156
Brisbane
cPanel Access Level
Root Administrator
Thanks, this is first line and line 302 of modsec2.user.conf

### Modsec2 rules v0.2 ###

SecRule REQUEST_URI "\.php\?.*loc=(http|https|ftp)\:\/"

I'd rather not comment it out. Perhaps my modsecurity needs an upgrade?

How do you know what version of modsecurity is running, and how does it get updated?

Is modsecurity and it's rules updated via the normal cPanel updates?

Thanks
Aaron
 

aarondwyer

Well-Known Member
Verifed Vendor
Mar 26, 2005
73
0
156
Brisbane
cPanel Access Level
Root Administrator
In WHM > Plugins > Mod Security > Edit Config

I clicked on the Reset Configuation textarea to : Default Configuration

A whole different set of rules appeared, each one with a ID against each of the rules.

I have my server managed for me, so I can only assume that they entered in a custom ruleset.

I'll run with the default configuration from cPanel for awhile and see what happens.

Thanks for your help

Aaron
 

syslint

Well-Known Member
Verifed Vendor
Oct 9, 2006
268
7
168
India
cPanel Access Level
Root Administrator
Twitter