Free mod_security rules!

httpEasy · January 15, 2014, 2:03pm

Nope. I ran it from root and the error occurred after connecting to waf. Anyway, now it seems to work.

designcentre · January 15, 2014, 10:45pm

Je1te · February 18, 2014, 8:06pm

Thanks Comodo for offering this service for free! The admin guide of the WAF states "Currently CWAF is designed for and has been tested on Apache on Linux servers. The firewall versions for other server types are coming shortly. ". Does anyone know about the compatibility of the rules with nginx? And is there a chance that the rules will also be tested on nginx in the future?

pgzn · March 4, 2014, 1:11am

To quote the VP, this is a huge f-ing deal. Glad I found this after a year of occasional searching. Gotroot left low margin hosts to the wolves with no warning.

Melih · March 4, 2014, 5:31am

one by one we are testing with it all. next is litespeed, then nginx.

Je1te · March 4, 2014, 12:52pm

That’s good news, thanks!

pthirose · April 17, 2014, 6:51pm

First, thank you for providing this. Finding a good set of baseline rules that don’t create a bunch of false neg/pos is always difficult.

Are most of you switching from OWASP CRS to Comodo or are you starting new? I’m curious how the Comodo ruleset compares to the CRS. There is a separate post comparing performance against commercial/paid rules, and I thought it interesting there was a column for “no rules” (why run mod_security w/out rules?).

However, I’m more interested in comparing against CRS. IMO, CRS is sorta the baseline, especially in the free realm.

I’m new to this. I’m not running cPanel or anything, just straight-up Apache 2.2.x and mod_security 2.8. Until now, I was just using CRS/2.2.9.

If anyone has any opinion on Comodo free rules vs the OWASP CRS rules, I’d greatly appreciate hearing your take on both.

Thank you,
PH

mommaroodles · June 5, 2014, 3:50pm

Hello

I also have Mod Security 2.8 and I get warning message after starting the installation saying that it had not been tested with mod security 2.08 - now I’m wondering, is it ok to install despite the warning message or do I use the OWASP rules.

I’d appreciate it if someone could please tell me if its ok to use with Mod Security 2.8.

akabakov · June 22, 2014, 6:21pm

Modsecurity 2.8.0 works with Comodo rules.

crownhost · June 29, 2014, 9:04am

Hi,
Are these just the core rules or Comodo’s own rules?
Can anyone here using these rules on a cpanel server comment on their usefulness please?

TDmitry · July 2, 2014, 9:03am

Hi crownhost,

Comodo has own rules, at this phase they are contains reprocessed core rules with reduced False Positives as CWAF rules part.

crownhost · July 2, 2014, 12:00pm

Thanks for the info TDmitry. why do the files state they are just modified from the CRS? And why are the rule ID’s in the reserved ID range for modsecurity.org?

sonicthoughts · July 3, 2014, 2:27am

I’ve been wondering also about these rules viz modesec. Also if this is compatible with default rules installed via CPANEL/WHM. Been having all sorts of problems with modsec, plugins and mod_ruid…

TDmitry · July 3, 2014, 9:23am

Please reformat your first question, it is not clear for me.
We are using proper IDs range reserved for COMODO, you can check it here:

webwzrd · August 29, 2014, 12:42pm

I’d like to switch from using the Atomic (discontinued free version) rule set to Comodo. However if I remember right, isn’t the modsecurity from Atomic their own custom version? If that’s the case, do I need to uninstall their modsecurity and reinstall the vanilla version in order to use your rules?

akabakov · August 29, 2014, 2:29pm

You don’t need to uninstall modsecurity.
Just download our rules from Free ModSecurity Rules from Comodo (sections “Download the latest rules” or “Download full rule set” ) and try to use them.

webwzrd · September 2, 2014, 11:27pm

Thank you, I have swapped the rules in. Naturally I had to make a few configuration adjustments. All seems to be working so far.

The Atomic rules were producing far too many false positives for legitimate CMS users. Hoping these rules can be effective without the need for an ever growing whitelist.

Melih · September 3, 2014, 12:54am

we are always here to help you.

please come and tell us whatever you need, we will do our best to serve you.

thanks

Melih

webwzrd · September 11, 2014, 7:04pm

Thanks Melih,

So far I’m loving the CMS bruteforce protection, since that’s seems to be a 7/24 issue.

Couple things I’m struggling with.

My whitelist setup from Atomic quit working when I upgraded to mod_security 2.8. Could you offer some guidance on setting up a IP whitelist?
How do I disable rules causing a problem?

I’ve read different instructions on both of these, but they assume I have configuration files in place that I don’t since my installation is from Atomic.

Brian

oleg.tsygany · September 12, 2014, 8:46am

Hello Brian

To bring back in action Atomic whitelist (located at /etc/asl/whitelist) add following rule to modsecurity config file. I found it in Atomic rules file 00_asl_whitelist.conf so hope it will work.

SecRule REMOTE_ADDR "[at]ipMatchFromFile /etc/asl/whitelist" "rev:1,id:345678,phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

Note: replace [at] with “commercial at” sign because forum engine escape it.

To disable problematic rules add their IDs to exclude file (for example my_excludes.conf), containing following lines:

<LocationMatch .*>
SecRuleRemoveById 210800 230041 230040
</LocationMatch>

Here 210800, 230041, 230040 is rule IDs to be excluded

Include this file to modsecurity config file AFTER all rules loaded. For example:

<IfModule mod_security2.c>
SecRuleEngine On
.......
# whitelist IP
SecRule REMOTE_ADDR "[at]ipMatchFromFile /etc/asl/whitelist" "rev:1,id:345678,phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
# load COMODO rules
Include "/opt/comodo/rules/*.conf"
# load exclude config
Include "/opt/comodo/my_excludes.conf"
</IfModule>

Restart Apache for the changes to take effect.