Hello,

I am trying to dissable a single rule for a domain.
No Matter what i do, modsec keeps blocking the script.

In my vhost.conf

<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleRemoveById 350148
</IfModule>
</LocationMatch>

After iI change the vhsot.conf is run: /usr/local/psa/admin/bin/websrvmng -u --vhost-name=thedomain.co.za

I also tried to dissable modsec for the domain

<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>

I also tried to dissable modsec just for the script

<LocationMatch /admin/photographers_edit.php>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>

No Matter what I do - I get the same result.

[Tue Jul 05 13:18:22 2011] [error] [client 41.185.108.125] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "1025"] [id "350148"] [rev "53"] [msg "Atomicorp.com WAF Rules: Potentially Untrusted Web Content Detected "] [data "14519"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\\:/|alert ?\\(|<? (?:(?:java|vb)?script|applet|activex|chrome) ?>|" ?> ?<|" ?[a-z]+ ?<.*>|> ?"? ?>|< ?/?i?frame|\\%env)" at ARGS:clients. [hostname "www.thedomain.co.za"] [uri "/admin/photographers_edit.php"] [unique_id "pEY1sU4uOc0AAEmCwBgAAAAB"]

If adding an over-ride to vhost(_ssl).conf, the full system path is required:


Always remember to:

@Kalimari - thanks for your help.
The <Directory tip pointed me in the right direction

This is what finally did the trick ...

<IfModule mod_security2.c>
<Directory /var/www/vhosts/***.co.za/httpdocs/admin/>
SecRuleRemoveById 350147
SecRuleRemoveById 350148
</Directory>
</IfModule>

With asl you can also just do this from the command line:

This will globally disable a rule:

asl -dr 12345

This will disable a rule for the domain:

asl -dr 12345 --vhost example.com

mikeshinn - thanks this is very usefull

asl -dr 12345 --vhost example.com
Where does this write to - if one wanted to see all disabled rules per domain?

I assume -er is to enable/re-enable a rule.

That depends, what version of ASL are you using?

ASL version is current: 2.2.11

Very keen to start playing with ASL 3.0

2.2.11 will generate a file "999_asl_user_exclude.conf" that contains the custom excludes for your system, and "00_asl_generated.conf" for the vhost excludes.

Users should not modify these files as any changes will be overwritten by ASL.

Hang on, I'm confused now. I don't mean to hijack the thread, but this is related and hopefully will be useful for kram to know as well as me:

I though a rule had to be loaded before it could be excluded, thus it would need to be in a late-loading (99x-type) conf file. Obviously I'm wrong about this.

So in reality a global exclude does need to be loaded last, but a per-vhost exclude can (must?) be loaded before the rule is actually defined. Is this just "the way mod_security works", or is there more to it?

It has to do with what you are looking at in which phase of the connection. Name based virtual host definitions occur right up front in the protocol (for obvious reasons) so its faster to do an exclusion there rather than farther down the stack in a directory definition.

Hi,

I had a go with the asl -dr 350148 --vhost 2large.co.za + asl -er 350148 --vhost 2large.co.za

The -dr command ads the ruleRemovebyID to 00_asl_generated.conf but does not get removed when issued the -er

Am i missing something?

asl -dr 350148 --vhost 2large.co.za
Disabling Rule ID: 350148 on 2large.co.za

less /etc/httpd/modsecurity.d/999_asl_user_exclude.conf

<LocationMatch .*>
</LocationMatch>

less /etc/httpd/modsecurity.d/00_asl_generated.conf

SecRule REQUEST_HEADERS:Host "^2large.co.za$" "nolog,noauditlog,ctl:ruleRemovebyID=350148"

I then Ran tried to re-enable the rule

asl -er 350148 --vhost 2large.co.za
Enabling Rule ID: 350148

less /etc/httpd/modsecurity.d/999_asl_user_exclude.conf

<LocationMatch .*>
</LocationMatch>

less /etc/httpd/modsecurity.d/00_asl_generated.conf

SecRule REQUEST_HEADERS:Host "^2large.co.za$" "nolog,noauditlog,ctl:ruleRemovebyID=350148"

Which version of ASL are you using? And whats the output of both commands?

@mikeshinn

ASL Version = 2.2.11

asl -dr 350148 --vhost 2large.co.za
Disabling Rule ID: 350148 on 2large.co.za

Checking mod_security settings
Checking for mod_security installation: installed [OK]
mod_security set to: enabled [OK]
Server Signature set to: Apache [OK]
SecUploadDir set to: /var/asl/data/suspicious [OK]
SecUploadKeepFiles set to: on [OK]
Logfile set to: audit_log [OK]
Logging set to: Concurrent [OK]
Audit Logging to: /var/asl/data/audit [OK]
Logging elements set to: ABIFHZ [OK]
SecRequestBodyInMemoryLimit set to: 131072 [OK]
SecRequestBodyLimit set to: 134217728 [OK]
SecResponseBodyLimit set to: 2621440 [OK]
SecResponseBodyLimitAction set to: ProcessPartial [OK]
Enable debug log: no [OK]
SecDataDir set to: /var/asl/data/msa [OK]
SecTmpDir set to: /tmp [OK]

Checking rule class settings
RBL Checks: off [LOW]
Upload Scanner ruleset: on [OK]
Anti-Malware ruleset: on [OK]
Generic Attack ruleset: on [OK]
Malicious Useragents ruleset: on [OK]
Anti-Spam ruleset: on [OK]
Rootkit ruleset: on [OK]
Recon ruleset: on [OK]
Just In Time Patches: on [OK]
Redactor: on [OK]
Whitelist: off [OK]
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

asl -er 350148 --vhost 2large.co.za
Enabling Rule ID: 350148

Checking mod_security settings
Checking for mod_security installation: installed [OK]
mod_security set to: enabled [OK]
Server Signature set to: Apache [OK]
SecUploadDir set to: /var/asl/data/suspicious [OK]
SecUploadKeepFiles set to: on [OK]
Logfile set to: audit_log [OK]
Logging set to: Concurrent [OK]
Audit Logging to: /var/asl/data/audit [OK]
Logging elements set to: ABIFHZ [OK]
SecRequestBodyInMemoryLimit set to: 131072 [OK]
SecRequestBodyLimit set to: 134217728 [OK]
SecResponseBodyLimit set to: 2621440 [OK]
SecResponseBodyLimitAction set to: ProcessPartial [OK]
Enable debug log: no [OK]
SecDataDir set to: /var/asl/data/msa [OK]
SecTmpDir set to: /tmp [OK]

Checking rule class settings
RBL Checks: off [LOW]
Upload Scanner ruleset: on [OK]
Anti-Malware ruleset: on [OK]
Generic Attack ruleset: on [OK]
Malicious Useragents ruleset: on [OK]
Anti-Spam ruleset: on [OK]
Rootkit ruleset: on [OK]
Recon ruleset: on [OK]
Just In Time Patches: on [OK]
Redactor: on [OK]
Whitelist: off [OK]
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

I'm sorry, I completely missed that you were running 2.2.11. If you are running into this issue (and it looks like you are) then I recommend you upgrade to 3.0 which will resolve this for you. There are some cases where re-enabling was an issue in 2.2.11, so we re-wrote the whole system in 3.0. 3.0 is in release candidate now.

Hiya mikeshinn - how do I grab V3.0?