Rules for mod_security2

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
I used to use Hostmerit's ruleset for mod_security, but it won't work with mod_security2. Does anyone know of some good rulesets for mod_security2? I tried the ones on gotroot.org, but they end up breaking apache so that it throws 500 errors for everything.
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
We had so many custom rules under modsecurity_1 and then they go and totally re-write the modsecurity_2 rule syntax. I spent a couple hours playing with it and gave up and just installed the rules they provide:

http://www.modsecurity.org/download/direct.html

We had to go in and disable a few things for frontpage and whatnot but I just couldnt deal with all the rewriting of my old stuff.
 

swampy

Well-Known Member
Jan 30, 2004
148
0
166
nyjimbo did you have any problems with the default rules, I am having this problem

2007-09-14 15:43:11 ::1 / HTTP/1.0 Access denied with code 406 (phase 2). Invalid Unicode encoding: invalid byte value in character. [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] 406

but i do not know who the client ::1 is there is no ip either so I think it must be something running on the server have you got any ideas

i get this in respect to this client in apache error logs not sure if it is related

[info] [client ::1] (32)Broken pipe: core_output_filter: writing data to the network

thanks
Mark
 
Last edited:

cooldude7273

Well-Known Member
Jan 11, 2004
357
0
166
Roswell, GA
gotroot.com has a ton of rules of mod_sec 2
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
Well, I installed the rules on the mod_security website, and I get this error:
Error creating rule: Unknown variable: XML

The only thing I could find on Google was an apache forum where someone was complaining that libxml was not being installed, but I have libxml2.so.
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
We had so many custom rules under modsecurity_1 and then they go and totally re-write the modsecurity_2 rule syntax. I spent a couple hours playing with it and gave up and just installed the rules they provide:

http://www.modsecurity.org/download/direct.html

We had to go in and disable a few things for frontpage and whatnot but I just couldnt deal with all the rewriting of my old stuff.
Thanks for the link.
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
Well, I installed the rules on the mod_security website, and I get this error:
Error creating rule: Unknown variable: XML

The only thing I could find on Google was an apache forum where someone was complaining that libxml was not being installed, but I have libxml2.so.
In the meantime, I deleted the lines that included xml:* and everything works. It has to be something with the way that libxml is being compiled...
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
I just looked at the Makefile in the mod_security installation directory. It does not include the DEFS = -DWITH_LIBXML2 line. Is this an oversight by the cPanel team, or is it intentional?
 

PPNSteve

Well-Known Member
Mar 13, 2003
422
9
168
Somewhere in Ilex Forest
cPanel Access Level
Root Administrator
Twitter

jameshsi

Well-Known Member
Oct 22, 2001
347
0
316
What does apache configtest say?

We didn't encounter that problem on all our servers...
I have try the rules and I was in the putty and use command line edit the file and paste all the rules to the modsec2.user.conf file, I failed restart apache cause there are some lines wraped, maybe his problem is caused by that.

After using configserver's CSF interface in WHM to edit the file and submit again, apache runs fine on my box.

Thanks.
 

bazzi

Well-Known Member
May 23, 2004
119
0
166
a little tip:

When you start Pico, you can include a command that will turn off word wrap and allow you to edit long lines. To do this, at the Unix prompt, enter:
pico -w filename
 

jameshsi

Well-Known Member
Oct 22, 2001
347
0
316
I found a lot of warning in mod_security logs like this:

Pattern match "/_vti_bin/" at REQUEST_LINE

I wonder if we should disable it or not ?
 

activa

Well-Known Member
May 23, 2006
213
1
168
Morocco
cPanel Access Level
Root Administrator
i have the same isseu , and i have removed this line from mod_security config and it work now perfectly


Code:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"
maybe this will help others ...
 

lehels

Well-Known Member
Jul 10, 2006
91
0
156
i have the same isseu , and i have removed this line from mod_security config and it work now perfectly


Code:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"
maybe this will help others ...
This is not really a solution to "UTF8 Encoding Abuse Attack Attempt" modsec2 rule, being marked: Typical Severity: High
[http://capec.mitre.org/data/definitions/80.html]

In our case the rule is catched by a word containing letters: "ö, ü" as: K%F6sz%F6nj%FCk

Any other suggestions but deactivating that rule or deactivating mod_sec for that domain?
In other questions how do we pass those letters?

Thank you,
Lehel