Hi I noticed I have some ruleset's turned off, with a "HIGH" notice, for instance "Advanced Attack Ruleset". Not sure how those got turned off and is this something I should be concerned about?

Checking rule class settings
RBL Ruleset: off [LOW]
Antievasion Ruleset: on [OK]
Strict Multiform Ruleset: off [MODERATE]
Whitelist Ruleset: off [OK]
Antievasion Ruleset: off [HIGH]
Advanced Antievasion Ruleset: off [HIGH]
Exclude Ruleset: on [OK]
Anti-Malware Ruleset: on [OK]
Generic Attack Ruleset: on [OK]
Advanced Attack Ruleset: off [HIGH]
Data Loss Protection Ruleset: off [MODERATE]
Brute Force Protection Ruleset: on [OK]
Malicious Useragents Ruleset: on [OK]
Anti-Spam Ruleset: on [OK]
Anti-Spam URI RBL Ruleset: off [LOW]
Rootkit Detection Ruleset: on [OK]
Reconnaissance Attacks Ruleset: on [OK]
Data Leak Prevention Ruleset: on [OK]
Just In Time Patches: on [OK]
Malicious Output Removal Ruleset: off [MODERATE]
Malicious Output Detector: on [OK]
Web Malware Upload Scanner: on [OK]

These rulesets:

Strict Multiform Ruleset: off [MODERATE]
Advanced Attack Ruleset: off [HIGH]
Data Loss Protection Ruleset: off [MODERATE]

Are not enabled by default in ASL, so if you didnt enable them that may be why they are disabled.

Do you know if you disabled or enabled them?

You aren't in bad shape if you leave them disabled, but you will be able to combat more advanced attacks if you enable them. They shouldnt generate any false positives, but in the past some platforms and older clients had some difficulty with these rules.

These rulesets:

Antievasion Ruleset: off [HIGH]
Advanced Antievasion Ruleset: off [HIGH]

Require at least modsecurity version 2.6.3. ASL will try to upgrade modsecurity, if its configured to do so. Can you tell me what version of ASL you have installed, and what version of mosecurity?

Hi thanks for the thorough helpful response as always I did not turn on/off these rulesets so it's all default settings and upgrades since ASL 2 about 3 years ago I'd say.

I am running:
ASL Version 3.0.21: CentOS 5 (SUPPORTED)

I'm not sure how to check mod_security version, although it looks like at least 2 from the httpd/modules directory.

I'm fairly new to mod_security so any help on activating these would be appreciated. As long as there is not a huge performance hit or a high amount of false positives I don't see any reason to not do it.

Ask your package manager:

OK, I'm in a similar situation with a new, clean install under EL6

Here's what gets configured, using the ASL installer script, out of the box:



This default config corresponds with what zonathen is seeing, as my asl -s output is the same as his with the above configuration.

# rpm -qa mod_security
mod_security-2.6.5-1.el6.art.x86_64

# rpm -qa asl
asl-3.0.21-1.el6.art.x86_64


Incidentally, it is very hard to match some of the rule configuration options in the config file to the output of asl -s

For example:
MODSEC_01_RULES="no" means nothing much to me. No idea which ruleset this refers to from its name.
MODSEC_00_AE_RULES="no" -- I'm guessing it is ADVANCED anti-evasion since we already have MODSEC_00_ANTIEVASION="yes" but in that case it would have been nice to name it AAE or something.

And moving on, I know that I don't want to enable MODSEC_00_RBL because it will cause too many false positives (and potentially slow-downs)

What other rules should we really not turn on for production servers?

MODSEC_31_ANTISPAM_URI involves an rbl lookup, for example.

There's nothing in the wiki or KB that I can see with any references to help with this.

Any hints would be appreciated

Thanks,

Faris.

And thats on purpose. The lesson we learned from the RBL rules was that some folks were just blindly turning everything on, and then reporting (or loudly complaining to the whole world on other forums, sigh... why do people do that when all they have to do is ask for help, its free afterall) that their sites were slow. And we don't want that.

So consider this ruleset a super duper secret easter egg for those that ask!

Now that you have asked, that will look up URIs in POSTS (as opposed to IPs) to see if they are known to be spammy. Its pretty spiffy. It will need a nice quick DNS server because its totally blocking code, it will look up the URL and will wait for the DNS to return a result before it will pass on the POST to the application to process. So if you have a slow DNS server, or the DNSBL is slow then the application will appear to be slow. Neither the app, WAF or apache will actually be slow, they will just be waiting for a DNS reply. Twittling their proverbial thumbs and whistling into the wind until they get an answer, thumbs up or down.

The long term plan with all DNS based rules it to include a highspeed RBL-DNS with ASL to manage all the requests, and to store local copies of the zones where possible to "eliminate" the speed issues (there will still be a small penalty, because its still got to make the request, but it will be fractional compared to a remote request with a normal RBL).

I have MODSEC_00_AE_RULES & MODSEC_00_ANTIEVASION set to on, but in ASL Scan "Advanced Antievasion Ruleset" is still OFF. Additionally, I have two identical "Antievasion Ruleset" in the scan results, which is confusing.

which exact setting needs to be switched to turn "Advanced Antievasion Ruleset" ON ?