Author Topic: Free mod_security rules!  (Read 16090 times)

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 365
Re: Free mod_security rules!
« Reply #30 on: July 02, 2014, 05:03:07 AM »
Hi,
Are these just the core rules or Comodo's own rules?
Can anyone here using these rules on a cpanel server comment on their usefulness please?

Hi crownhost,

Comodo has own rules, at this phase they are contains reprocessed core rules with reduced False Positives as CWAF rules part.
« Last Edit: July 02, 2014, 05:05:02 AM by TDmitry »

Offline crownhost

  • Newbie
  • *
  • Posts: 11
Re: Free mod_security rules!
« Reply #31 on: July 02, 2014, 08:00:43 AM »
Thanks for the info TDmitry. why do the files state they are just modified from the CRS? And why are the rule ID's in the reserved ID range for modsecurity.org?
« Last Edit: July 02, 2014, 12:33:12 PM by crownhost »

Offline sonicthoughts

  • Newbie
  • *
  • Posts: 2
Re: Free mod_security rules!
« Reply #32 on: July 02, 2014, 10:27:14 PM »
I've been wondering also about these rules viz modesec.  Also if this is compatible with default rules installed via CPANEL/WHM.  Been having all sorts of problems with modsec, plugins and mod_ruid....

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 365
Re: Free mod_security rules!
« Reply #33 on: July 03, 2014, 05:23:06 AM »
Thanks for the info TDmitry. why do the files state they are just modified from the CRS? And why are the rule ID's in the reserved ID range for modsecurity.org?
Please reformat your first question, it is not clear for me.
We are using proper IDs range reserved for COMODO, you can check it here:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id

Offline webwzrd

  • Newbie
  • *
  • Posts: 8
Re: Free mod_security rules!
« Reply #34 on: August 29, 2014, 08:42:23 AM »
I'd like to switch from using the Atomic (discontinued free version) rule set to Comodo.  However if I remember right, isn't the modsecurity from Atomic their own custom version? If that's the case, do I need to uninstall their modsecurity and reinstall the vanilla version in order to use your rules?

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: Free mod_security rules!
« Reply #35 on: August 29, 2014, 10:29:43 AM »
You don't need to uninstall modsecurity.
Just download our rules from https://waf.comodo.com/user/cwaf_revisions (sections "Download the latest rules" or "Download full rule set" ) and try to use them.

Offline webwzrd

  • Newbie
  • *
  • Posts: 8
Re: Free mod_security rules!
« Reply #36 on: September 02, 2014, 07:27:40 PM »
You don't need to uninstall modsecurity.
Just download our rules from https://waf.comodo.com/user/cwaf_revisions (sections "Download the latest rules" or "Download full rule set" ) and try to use them.
Thank you, I have swapped the rules in. Naturally I had to make a few configuration adjustments. All seems to be working so far.

The Atomic rules were producing far too many false positives for legitimate CMS users. Hoping these rules can be effective without the need for an ever growing whitelist.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14623
    • Video Blog
Re: Free mod_security rules!
« Reply #37 on: September 02, 2014, 08:54:43 PM »
Thank you, I have swapped the rules in. Naturally I had to make a few configuration adjustments. All seems to be working so far.

The Atomic rules were producing far too many false positives for legitimate CMS users. Hoping these rules can be effective without the need for an ever growing whitelist.

we are always here to help you.

please come and tell us whatever you need, we will do our best to serve you.

thanks

Melih

Offline webwzrd

  • Newbie
  • *
  • Posts: 8
Re: Free mod_security rules!
« Reply #38 on: September 11, 2014, 03:04:46 PM »
Thanks Melih,

So far I'm loving the CMS bruteforce protection, since that's seems to be a 7/24 issue.

Couple things I'm struggling with.

1) My whitelist setup from Atomic quit working when I upgraded to mod_security 2.8. Could you offer some guidance on setting up a IP whitelist?

2) How do I disable rules causing a problem?

I've read different instructions on both of these, but they assume I have configuration files in place that I don't since my installation is from Atomic.

Brian

Offline oleg.tsygany

  • Comodo's Hero
  • *****
  • Posts: 275
Re: Free mod_security rules!
« Reply #39 on: September 12, 2014, 04:46:07 AM »
Hello Brian

To bring back in action Atomic whitelist (located at /etc/asl/whitelist) add following rule to modsecurity config file. I found it in Atomic rules file 00_asl_whitelist.conf so hope it will work.

Code: [Select]
SecRule REMOTE_ADDR "[at]ipMatchFromFile /etc/asl/whitelist" "rev:1,id:345678,phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"Note: replace [at] with "commercial at" sign because forum engine escape it.

To disable problematic rules add their IDs to exclude file (for example my_excludes.conf), containing following lines:
Code: [Select]
<LocationMatch .*>
SecRuleRemoveById 210800 230041 230040
</LocationMatch>
Here 210800, 230041, 230040 is rule IDs to be excluded

Include this file to modsecurity config file AFTER all rules loaded. For example:
Code: [Select]
<IfModule mod_security2.c>
SecRuleEngine On
.......
# whitelist IP
SecRule REMOTE_ADDR "[at]ipMatchFromFile /etc/asl/whitelist" "rev:1,id:345678,phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
# load COMODO rules
Include "/opt/comodo/rules/*.conf"
# load exclude config
Include "/opt/comodo/my_excludes.conf"
</IfModule>

Restart Apache for the changes to take effect.
« Last Edit: September 12, 2014, 05:10:32 AM by oleg.tsygany »

Offline webwzrd

  • Newbie
  • *
  • Posts: 8
Re: Free mod_security rules!
« Reply #40 on: September 19, 2014, 10:14:45 AM »
Thanks, guess I'm not subscribed to the thread and didn't receive a notification of your reply.

Actually I had already added 00_asl_whitelist.conf to the rule set, however I get the error below even though there are not any other rule id's with the same number. Line 33 is the same as you had suggested.

[root[at]server modsecurity.d]# httpd -t
Syntax error on line 33 of /etc/httpd/modsecurity.d/00_asl_whitelist.conf:
ModSecurity: Found another rule with the same id

EDIT: I discovered that the way I had it setup, 00_asl_whitelist.conf was being loaded twice. I've got it fix now and the whitelist should be working.

Thank you for your input and causing me to reexamine my setup.
« Last Edit: September 19, 2014, 10:40:01 AM by webwzrd »

Offline vadim

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 338
--
Vadim Lvovskiy
Development Manager
COMODO Group Inc.


Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14623
    • Video Blog
Re: Free mod_security rules!
« Reply #43 on: September 18, 2016, 08:49:55 PM »

Offline vadim

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 338
Re: Free mod_security rules!
« Reply #44 on: April 12, 2017, 02:51:48 AM »
Our engineers prepared interesting article about how Comodo mod_security rules will protect your web servers against attack.

https://blog.comodo.com/it-security/learn-comodo-mod_security-rules-will-protect-web-servers-attack-free/
--
Vadim Lvovskiy
Development Manager
COMODO Group Inc.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek