OWASP CRS v4.15.0 Just Release

In order to support an e-commerce site and a service industry site, here's a couple more rules I had to add to the WordPress section of the disabled rules files:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

Code: [Select]

SecRuleRemoveById 981172
SecRuleRemoveById 981319

That's very helpful because I plan to update the OWASP rules to the latest version and we are hosting various websites.

Thanks.

Hi,

Many thanks to Starburst...., but should I merge the two in the rbl.conf file
https://prnt.sc/9Tp9vbYKVfdk

BR
Venty

You can do it anyway you like your system setup.
As long as ModSecurity reads the .conf

Someone has to include 2 very critical details on these guides:

1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.

No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.


2) the mod_security.conf file is getting overwritten occasionally by the CWP Security daemon - replacing the custom OWASP ruleset path with the default path causing chaos on the server.

My solution was to make it immutable with

Code: [Select]

sudo chattr -i /usr/local/apache/conf.d/mod_security.conf but then the user MUST remember to remove this flag for any future update/edit.

I hope this helps.

Feel free to let me know if I missed something or share this with AlphaGNU and Starburst.

1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.

No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.

My solution to that was to also strictly enumerate the file the GUI calls for in /usr/local/apache/modsecurity-owasp-old/owasp.conf:

Code: [Select]

Include /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

You should have any customized .conf for OWASP in one of their respected folders, so there is a very low change of them being overwritten:

/usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/after/*.conf

Someone has to include 2 very critical details on these guides:

1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.

No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.

--------------------------------------------------------------------------
I hope this helps.

Hi,

for me the file global_disabled_rules.conf is in the folder:

usr/local/apache/ modsecurity-rules/custom-rules/before

and it also doesn't work?

If you're calling it with an "Include" line as with Starburst's configuration, it will be utilized by Mod Security. But the GUI in CWP will be editing a different file:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
So you may want to Include that one specifically/additionally as well.

If you're calling it with an "Include" line as with Starburst's configuration, it will be utilized by Mod Security. But the GUI in CWP will be editing a different file:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
So you may want to Include that one specifically/additionally as well.

I didn't understand it... "Include" - in which file?

The main conf file.
Usually - /usr/local/apache/conf.d/mod_security.conf

This will have the .conf that contains all the paths - /usr/local/apache/modsecurity-rules/modsec.conf

But the .conf can be called anything.

In that .conf file it will have the Includes, below is just an Example.

Include /usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-1.23.4/crs-setup.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-1.23.4/rules/*.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/after/*.conf

Hi, Overseer

My solution to that was to also strictly enumerate the file the GUI calls for in /usr/local/apache/modsecurity-owasp-old/owasp.conf:

Code: [Select]

Include /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

How are you achieving this?

Thank you

Hi, Starburst

You should have any customized .conf for OWASP in one of their respected folders, so there is a very low change of them being overwritten:

Code: [Select]

/usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/after/*.conf

Of course I have those files under the /custom/ path however I'm referring to the "Include" file path inside the mod_security.conf file which points to the new OWASP ruleset.

This is the file that is getting overwritten by the CWP security daemon.

Code: [Select]

/usr/local/apache/conf.d/mod_security.conf
I hope this helps.

Mod_Security should not overwrite anything, it only does that when you change a setting like ModSec Rules Profile or Rules ENgine.

When using the new OWASP CRS database, you can't really use the GUI anymore.
But once you have everything setup, it won't change.

There are articles on how to update your ModSecurity first before updating to the latest OWASP CRS ruleset.

These can be found at:
https://starburst.help/category/control-web-panel-cwp/modsecurity-running-with-control-web-panel/

Mod_Security should not overwrite anything, it only does that when you change a setting like ModSec Rules Profile or Rules ENgine.

It is not mod_security

I mentioned before, it is the CWP Security Daemon that is checking the integrity of the files and overwrites known system files that have unknown edits.

My host (InMotion Hosting) confirmed that to me. Maybe it's their custom security module. I don't know.

The only thing I know is that on a regular basis, my mod_security.conf file would get overwritten with the default "Include:" path creating a chaos on my websites.

I hope this helps.