Hi,
I am having a very hard time with the last update rules specifically with 340147 and if I do a custom exclude for that rule then 340148 and 340149 starts popping up. This is happening with a lot of my customers not just one and this triggers when they enter into their MOODLE or some alike based sites and they try to change colors or add any other futures.

As you can see, it will be very hard to do a custom exclude for a lot of customers, so, I am planning to set the domains that are in my server into the Whitelist file or on the trusted-domains.txt file. But what exactly does each of that files? How they work?

Is there a place where I could read about each file on the modsec rules?

Regards,
Sergio

I'm sure Mike or Scott will be along to tell you to file a bug report shortly but here's my general views on disabling rules

1. Rules exist for a reason. Turning them off for false positives is never a good thing
2. Sometimes rules just can't be bent enough for your application (not often but it does happen sometimes). If it's one app on one site, disable the rule for that one site
3. Non-public sites can sometimes be more lenient on rules, provided that the bad things require some authentication before you do them
4. If you have multiple sites with the same problem, try working it out with the ASL guys first

Thank you Highland,
that is what I do everytime I have a problem with one account, but when there are a few accounts with the same problem, there is no time to wait for the fix. Customers just want to have that fixed in no time.

So, that is why the question, what is best, to use the whitelist file or the trusted-domains file in the mean time that a rule is checked and fixed?

Regards,

Sergio

So before jumping into what those files do, if you want to disable rules for a domain none of those files will do that for you. Disabling rules by domain needs to be done this way:

https://www.atomicorp.com/wiki/index.ph ... gle_domain

But please keep reporting any false positives you have - even if you disable a rule, we really appreciate the feedback and it will only help to make the rules better and less likely for a false positive in the future (and thank you for your reports so far!)

As to what those files do:

The trusted domains file ( trusted-domains.conf) is only used by a few rules (injection and spam), it basically says that if a rule find a specific domain in the *content*, not the headers (so its not trusting the domain) then that event is not considered. That file is not used by any rule anymore, we have better logic to figure that out automatically now.

That file is also disabled in all the rules as its just not really necessary. Adding a domain to that file will not do anything unless you uncomment that part of the rule which is not recommended.

domain-spam-whitelist.conf is a list of domains that you want to be ignore *if* they are in the injection and a spam rule triggers. This does not turn off spam rules for those domains. For that you need to disable those spam rules in the vhost file itself.

The whitelist (/etc/asl/whitelist) is used to disable *all* rules for the source IP. Basically thats a way of totally trusting an IP.