slowloris rule conflict

[jimlongo]

Hi, back again with a new server, tried to insert the slowloris rule for mod sec along with the latest free atomic rules and cannot get Apache to restart. Once I remove the 88_slowloris.conf file from modsec2.user.conf then Apache starts.

one of the errors was
Syntax error on line 1 of /usr/local/apache/conf/modsec_rules/88_slowloris.conf:
ModSecurity: Found another rule with the same id

 

[24x7server]

Your new mod_sec rule ID is getting conflict with another available rule on server. I would suggest you to update the rule ID to fix this issue.

 

[cPanelMichael]

Hello

Check to make sure you have no other rules in place, or that you are using an empty ruleset to start with.

Thank you.

 

[quizknows]

Hello

Check to make sure you have no other rules in place, or that you are using an empty ruleset to start with.

Thank you.

Sorry man but this is horrible advice... delete all of his WAF rules to make one work? That's not advisable at all. He just needs to change the numeric ID of the rule he's adding, or make sure that rule isn't already active in another config file.

@jimlongo, modsec rules will look similar to this:

SecRule SOME_ATTRIBUTE "some regex" "deny,log,id:1234"

Just change 1234 to some other random number to avoid the duplicate ID error. Also you can check with "httpd configtest" before restarting apache to make sure the syntax passes, so you won't bring down your webserver. If you see "Syntax OK" then you're good to go.

 

[cPanelMichael]

I should clarify that I do not recommend the original poster remove all their existing rules to get this single rule to work. The original poster mentioned setting up a new server and implementing the Atomic Mod_Security rules. Per the installation instructions for the Atomic Mod_Security rules:

Step 9: Install the rules
[edit] Remove any previous installations of rules
If you have installed our delayed rules, you will need to make sure you have deleted them. You will not want to have any older versions of the rules installed.
Also, if you have installed any third party modsecurity rules, you will want to make sure they are using rule id's that are assigned to them. The modsecurity project assigns ranges to the rule id's modsecurity uses. Modsecurity requires a unique id for each rule, otherwise you will get an error like this:
ModSecurity: Found another rule with the same id
This means either that someone else is using the same rule id's assigned to our ruleset by the modsecurity project (our official range is 300000-399999), or you have loaded our rules twice.

I'm simply suggesting they start with a clean ruleset before implementing the custom Atomic ruleset. At that point, or even in place of that step, renaming the rule ID is the resolution for adding the additional rule.

Thank you.

 

[quizknows]

That makes more sense. I interpreted your post the way I did because his post was about adding the one rule to the atomicorp rules (Which he implied were already running), and not a problem with installing the entire atomicorp ruleset.