PDA

View Full Version : ModSecurity ASL rule set



Fli
05-29-2014, 08:47 PM
DL
127


Extract that (they're in a folder called "modsec") so extract it to like /usr/local/apache/conf/modsec/


Make the directory for /etc/asl and the file /etc/asl/whitelist




mkdir /etc/asl
touch /etc/asl/whitelist



You can put IP addresses, one per line, into that file to whitelist them from modsecurity (visitor addresses, like you or your dev or something)


Then use this for /usr/local/apache/conf/modsec2.user.conf (I don't use every rules file just the ones I like):




SecRequestBodyAccess On
SecDataDir /var/tmp
SecTmpDir /var/tmp
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
Include "/usr/local/apache/conf/modsec/00_asl_whitelist.conf"
Include "/usr/local/apache/conf/modsec/05_asl_exclude.conf"
Include "/usr/local/apache/conf/modsec/10_asl_antimalware.conf"
Include "/usr/local/apache/conf/modsec/10_asl_rules.conf"
Include "/usr/local/apache/conf/modsec/11_asl_data_loss.conf"
Include "/usr/local/apache/conf/modsec/20_asl_useragents.conf"
Include "/usr/local/apache/conf/modsec/30_asl_antispam.conf"
Include "/usr/local/apache/conf/modsec/30_asl_antispam_referrer.conf"
Include "/usr/local/apache/conf/modsec/40_asl_apache2-rules.conf"
Include "/usr/local/apache/conf/modsec/50_asl_rootkits.conf"
Include "/usr/local/apache/conf/modsec/60_asl_recons.conf"
Include "/usr/local/apache/conf/modsec/99_asl_exclude.conf"
Include "/usr/local/apache/conf/modsec/99_asl_jitp.conf"
Include "/usr/local/apache/conf/modsec/99_asl_redactor.conf"



You can also Include something like /usr/local/apache/conf/modsec2/99_your_whitelist.conf. The 00_asl_whitelist is for including the IP file /etc/asl/whitelist.


I have had very good luck with these rules with very little false positives.


Good luck!