Rules for mod_security2

[casey]

I used to use Hostmerit's ruleset for mod_security, but it won't work with mod_security2. Does anyone know of some good rulesets for mod_security2? I tried the ones on gotroot.org, but they end up breaking apache so that it throws 500 errors for everything.

 

[nyjimbo]

We had so many custom rules under modsecurity_1 and then they go and totally re-write the modsecurity_2 rule syntax. I spent a couple hours playing with it and gave up and just installed the rules they provide:

http://www.modsecurity.org/download/direct.html

We had to go in and disable a few things for frontpage and whatnot but I just couldnt deal with all the rewriting of my old stuff.

 

[swampy]

nyjimbo did you have any problems with the default rules, I am having this problem

2007-09-14 15:43:11 ::1 / HTTP/1.0 Access denied with code 406 (phase 2). Invalid Unicode encoding: invalid byte value in character. [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] 406

but i do not know who the client ::1 is there is no ip either so I think it must be something running on the server have you got any ideas

i get this in respect to this client in apache error logs not sure if it is related

[info] [client ::1] (32)Broken pipe: core_output_filter: writing data to the network

thanks
Mark

 

[cPanelBilly]

gotroot.com has a ton of rules of mod_sec 2

Just remember approx 90% will break cPAnel / Frontpage / Your clients scripts functionality. Double check every rle you put in and know what it does.

 

[cooldude7273]

gotroot.com has a ton of rules of mod_sec 2

 

[casey]

Well, I installed the rules on the mod_security website, and I get this error:
Error creating rule: Unknown variable: XML

The only thing I could find on Google was an apache forum where someone was complaining that libxml was not being installed, but I have libxml2.so.

 

[casey]

We had so many custom rules under modsecurity_1 and then they go and totally re-write the modsecurity_2 rule syntax. I spent a couple hours playing with it and gave up and just installed the rules they provide:

http://www.modsecurity.org/download/direct.html

We had to go in and disable a few things for frontpage and whatnot but I just couldnt deal with all the rewriting of my old stuff.

Thanks for the link.

 

[casey]

Well, I installed the rules on the mod_security website, and I get this error:
Error creating rule: Unknown variable: XML

The only thing I could find on Google was an apache forum where someone was complaining that libxml was not being installed, but I have libxml2.so.

In the meantime, I deleted the lines that included xml:* and everything works. It has to be something with the way that libxml is being compiled...

 

[casey]

I just looked at the Makefile in the mod_security installation directory. It does not include the DEFS = -DWITH_LIBXML2 line. Is this an oversight by the cPanel team, or is it intentional?

 

[bazzi]

I have transleted the Mod_security rules from Kris S. - HostMerit.com to the mod_security2

You can download it here:
http://www.TimmiT.nl/modsec2.user.conf

Please report if I transleted something wrong.

 

[PPNSteve]

I have transleted the Mod_security rules from Kris S. - HostMerit.com to the mod_security2

You can download it here:
http://www.TimmiT.nl/modsec2.user.conf

Please report if I transleted something wrong.

apache won't restart with this rule set running

 

[internetfab]

Anyone got any good modsec2 rules? Seems that gotroot.com is more or less missing in action - no updates for a year or so and no posts on the forum for a good while.

 

[bazzi]

apache won't restart with this rule set running

What does apache configtest say?

We didn't encounter that problem on all our servers...

 

[jameshsi]

What does apache configtest say?

We didn't encounter that problem on all our servers...

I have try the rules and I was in the putty and use command line edit the file and paste all the rules to the modsec2.user.conf file, I failed restart apache cause there are some lines wraped, maybe his problem is caused by that.

After using configserver's CSF interface in WHM to edit the file and submit again, apache runs fine on my box.

Thanks.

 

[bazzi]

a little tip:

When you start Pico, you can include a command that will turn off word wrap and allow you to edit long lines. To do this, at the Unix prompt, enter:
pico -w filename

 

[jameshsi]

I found a lot of warning in mod_security logs like this:

Pattern match "/_vti_bin/" at REQUEST_LINE

I wonder if we should disable it or not ?

 

[casey]

I have transleted the Mod_security rules from Kris S. - HostMerit.com to the mod_security2

You can download it here:
http://www.TimmiT.nl/modsec2.user.conf

Please report if I transleted something wrong.

Thank you for doing that. I have since switched back to Apache 1, but I'll give these rules a go when I upgrade.

 

[activa]

i have the same isseu , and i have removed this line from mod_security config and it work now perfectly

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"

maybe this will help others ...

 

[lehels]

i have the same isseu , and i have removed this line from mod_security config and it work now perfectly

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"

maybe this will help others ...

This is not really a solution to "UTF8 Encoding Abuse Attack Attempt" modsec2 rule, being marked: Typical Severity: High
[http://capec.mitre.org/data/definitions/80.html]

In our case the rule is catched by a word containing letters: "ö, ü" as: K%F6sz%F6nj%FCk

Any other suggestions but deactivating that rule or deactivating mod_sec for that domain?
In other questions how do we pass those letters?

Thank you,
Lehel

 

[casey]

I have transleted the Mod_security rules from Kris S. - HostMerit.com to the mod_security2

You can download it here:
http://www.TimmiT.nl/modsec2.user.conf

Please report if I transleted something wrong.

Thanks, again, bazzi. I finally upgraded, and I'm using the rules you converted without a problem.