OWASP CRS v4.15.0 Just Release

In order to support an e-commerce site and a service industry site, here's a couple more rules I had to add to the WordPress section of the disabled rules files:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

Code: [Select]

SecRuleRemoveById 981172
SecRuleRemoveById 981319

That's very helpful because I plan to update the OWASP rules to the latest version and we are hosting various websites.

Thanks.

Hi,

Many thanks to Starburst...., but should I merge the two in the rbl.conf file
https://prnt.sc/9Tp9vbYKVfdk

BR
Venty

You can do it anyway you like your system setup.
As long as ModSecurity reads the .conf

Someone has to include 2 very critical details on these guides:

1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.

No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.


2) the mod_security.conf file is getting overwritten occasionally by the CWP Security daemon - replacing the custom OWASP ruleset path with the default path causing chaos on the server.

My solution was to make it immutable with

Code: [Select]

sudo chattr -i /usr/local/apache/conf.d/mod_security.conf but then the user MUST remember to remove this flag for any future update/edit.

I hope this helps.

Feel free to let me know if I missed something or share this with AlphaGNU and Starburst.

1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.

No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.

My solution to that was to also strictly enumerate the file the GUI calls for in /usr/local/apache/modsecurity-owasp-old/owasp.conf:

Code: [Select]

Include /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

You should have any customized .conf for OWASP in one of their respected folders, so there is a very low change of them being overwritten:

/usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/after/*.conf

Someone has to include 2 very critical details on these guides:

1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.

No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.

--------------------------------------------------------------------------
I hope this helps.

Hi,

for me the file global_disabled_rules.conf is in the folder:

usr/local/apache/ modsecurity-rules/custom-rules/before

and it also doesn't work?

If you're calling it with an "Include" line as with Starburst's configuration, it will be utilized by Mod Security. But the GUI in CWP will be editing a different file:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
So you may want to Include that one specifically/additionally as well.

If you're calling it with an "Include" line as with Starburst's configuration, it will be utilized by Mod Security. But the GUI in CWP will be editing a different file:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
So you may want to Include that one specifically/additionally as well.

I didn't understand it... "Include" - in which file?

The main conf file.
Usually - /usr/local/apache/conf.d/mod_security.conf

This will have the .conf that contains all the paths - /usr/local/apache/modsecurity-rules/modsec.conf

But the .conf can be called anything.

In that .conf file it will have the Includes, below is just an Example.

Include /usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-1.23.4/crs-setup.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-1.23.4/rules/*.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/after/*.conf