Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OWASP ModSecurity v3 - Best Rulesets to use?

Discussion in 'Security' started by oSM, Dec 26, 2016.

  1. oSM

    oSM Well-Known Member

    Joined:
    Aug 18, 2001
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    306
    Has anyone been using the latest OWASP ModSecurity Core Rule Set via WHM? Version 3 was released recently (November 10, 2016) - OWASP ModSecurity Core Rule Set (CRS)

    After spending hours tweaking these rulesets, we've found the best ones that cause least false positives are:


    modsecurity_crs_10_setup.conf
    Enable - Doesn't seem to cause issues

    rules/REQUEST-01-COMMON-EXCEPTIONS.conf
    Enable - Doesn't seem to cause issues

    rules/REQUEST-10-IP-REPUTATION.conf
    Enable - Doesn't seem to cause issues
    ^ Enabling this rule by default seems to block all traffic from Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia, Pakistan, Malaysia and China. You need to remove these from /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf if you want to modify the countries being blocked! Rule only seems to work if Geolocation Database is defined in ModSecurity™ Configuration, otherwise it is ignored.

    Seems like one needs to also register and get an API key for it to scan bad ips - Reference Manual · SpiderLabs/ModSecurity Wiki · GitHub


    rules/REQUEST-12-DOS-PROTECTION.conf
    Enable - Doesn't seem to cause issues

    rules/REQUEST-13-SCANNER-DETECTION.conf
    Enable - Doesn't seem to cause issues. Seems to block sites like SEMRush Bot, Seomoz, etc. Might be good to prevent competitor spying, but if your customers use SEO services from those sites, it would be problematic.

    rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
    Disable

    rules/REQUEST-21-PROTOCOL-ATTACK.conf
    Disable

    rules/REQUEST-30-APPLICATION-ATTACK-LFI.conf
    Enable - Doesn't seem to cause issues

    rules/REQUEST-31-APPLICATION-ATTACK-RFI.conf
    Disable - Seems to cause issues when a site is calling scripts from another site. For example, if you have websiteA.com calling a PHP script from websiteB and incorporating the results in websiteA.

    rules/REQUEST-33-APPLICATION-ATTACK-PHP.conf
    Enable - Doesn't seem to cause issues

    rules/REQUEST-41-APPLICATION-ATTACK-XSS.conf
    Disable - Seems to cause issue with some site builders (KoPage, etc)

    rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf
    Disable - Seems to cause a lot of false positive/issues with PHP scripts (SupportPal, etc)

    rules/REQUEST-43-APPLICATION-ATTACK-SESSION-FIXATION.conf
    Disable

    rules/REQUEST-49-BLOCKING-EVALUATION.conf
    Enable - Doesn't seem to cause issues

    rules/RESPONSE-50-DATA-LEAKAGES-IIS.conf
    Disable - unless using Microsoft IIS

    rules/RESPONSE-50-DATA-LEAKAGES-JAVA.conf
    Disable

    rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf
    Enable - Doesn't seem to cause issues

    rules/RESPONSE-50-DATA-LEAKAGES.conf
    Disable

    rules/RESPONSE-51-DATA-LEAKAGES-SQL.conf
    Enable - Doesn't seem to cause issues

    rules/RESPONSE-59-BLOCKING-EVALUATION.conf
    Enable - Doesn't seem to cause issues

    rules/RESPONSE-80-CORRELATION.conf
    Enable - Doesn't seem to cause issues


    Would really appreciate if others could contribute so we can find the best way to eliminate malware, attacks, etc.
     
    #1 oSM, Dec 26, 2016
    Last edited by a moderator: Dec 26, 2016
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,769
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. jfall123

    jfall123 Well-Known Member

    Joined:
    Oct 31, 2005
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    158
    I've had the best luck so far with comodo waf rules
     
Loading...

Share This Page