Updated July 11th with the latest version, enjoy!
First we will download and unzip mod_security.
-----command-----
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar -zxf modsecurity-apache_1.9.4.tar.gz
-----command-----
If you are using Apache 1.3.x you need to go into the apache1 directory as shown below. Cpanel and ensim both use apache 1.3.x
-----command-----
cd modsecurity-apache_1.9.4/apache1
-----command-----
If you are using Apache 2.x you need to go into the apache 2 directory as shown below. Plesk uses apache 2.x and may require the httpd-devel rpm to be installed to get mod_security working.
-----command-----
cd modsecurity_1.9.4/apache2
-----command-----
Next compile mod_security at a module. One of the lines below should
work to compile it.
-----command-----
/etc/httpd/bin/apxs -cia mod_security.c
-----command-----
If you get a file not found install httpd-devel using up2date then try to compile
it again. This will work fine on Plesk and the newer versions of Ensim that
do not use "ensimized" httpd rpms. If you are running below Ensim
4.0 you should not continue unless you are certain of what you are doing.
-----command-----
up2date -i httpd-devel
/usr/sbin/apxs -cia mod_security.c
-----command-----
Make a backup of your httpd.conf
before touching anything so you have something to go back to if it does not
work.
-----command-----
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec
-----command-----
Now edit the httpd.conf , even though Ensim has multiple httpd.conf files you
can put it in the primary config.
-----command-----
pico -w /etc/httpd/conf/httpd.conf
-----command-----
If you are running Apache 1.3.x - cPanel and Pre 4.0 Ensim
Scroll down below the following line:
AddModule mod_security.c
If you do not have the addmodule line find where the rest of them are located
and put it right below the others.
If you are running Apache 2.x (Plesk and Ensim 4.0+)
Scroll down below the following line at which point you can continue on and
paste the ruleset.
LoadModule security_module modules/mod_security.so
Now you are going to paste in this ruleset. Please feel free to modify it
as you see fit. I think that it is a very non-agreesive ruleset that will
work
fine on just about any server. Please post any problems you have with it
below!
----Ruleset----
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature "Apache"
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd
/tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
SecFilterSelective THE_REQUEST "arta\.zip "
SecFilterSelective THE_REQUEST "cmd=cd\x20/var "
SecFilterSelective THE_REQUEST "HCL_path=http "
SecFilterSelective THE_REQUEST "clamav-partial "
SecFilterSelective THE_REQUEST "vi\.recover "
SecFilterSelective THE_REQUEST "netenberg "
SecFilterSelective THE_REQUEST "psybnc "
SecFilterSelective THE_REQUEST "fantastico_de_luxe "
SecFilter "bcc:"
SecFilter "bcc\x3a"
SecFilter "cc:"
SecFilter "cc\x3a"
SecFilter "bcc:|Bcc:|BCC:" chain
SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}"
SecFilterSelective POST_PAYLOAD "Bcc:"
SecFilterSelective POST_PAYLOAD "Bcc:\x20"
SecFilterSelective POST_PAYLOAD "cc:"
SecFilterSelective POST_PAYLOAD "cc:\x20"
SecFilterSelective POST_PAYLOAD "bcc:"
SecFilterSelective POST_PAYLOAD "bcc:\x20"
SecFilterSelective POST_PAYLOAD "bcc: "
SecFilterSelective THE_REQUEST "Bcc:"
SecFilterSelective THE_REQUEST "Bcc:\x20"
SecFilterSelective THE_REQUEST "cc:"
SecFilterSelective THE_REQUEST "cc:\x20"
SecFilterSelective THE_REQUEST "bcc:"
SecFilterSelective THE_REQUEST "bcc:\x20"
SecFilterSelective THE_REQUEST "bcc: "
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="
</IfModule>
Now simply restart apache to enable mod_security.
-----command-----
service httpd restart
-----command-----
If sites start to have problems look at error log.
/etc/httpd/logs/audit_log
If you need or want to remove mod_security at any time simply comment out
(put a # in front of) the AddModule mod_security.c line and restart apache. This
will disable all of the rules and not allow it to load into apache.
Ok mod_security is all setup. I would tail the audit log occasionally to see if it is causing any trouble with legit traffic. The ruleset above should not cause many problems though. Thanks to all that have helped with the rules for this especially ryan at rfxnetworks and err0r. I have also adapted some rules from suggestions on the netberg forums by HostMerit.
problem :/
[root@plesk tmp]# up2date -i httpd-devel
Invalid metapkg id emacs-nox
Fetching Obsoletes list for channel: rhel-i386-es-3...
Fetching Obsoletes list for channel: rhel-i386-es-3-extras...
Name Version Rel
----------------------------------------------------------
httpd-devel 2.0.46 46.ent i386
Testing package set / solving RPM inter-dependencies...
There was a package dependency problem. The message was:
Unresolvable chain of dependencies:
httpd-devel-2.0.46-46.ent requires httpd = 2.0.46-46.ent
but;
[root@plesk tmp]# httpd -V
Server version: Apache/2.0.46
just for the rest :)
if you have httpd upgraded from AtomicRocketTurtle
yum instal httpd-devel
instead of up2date -i httpd-devel
then proceed with the mod-security instalation
cheers
New Version Released
I hope update this installation guide.
http://www.modsecurity.org/blog/archives/2005/11/modsecurity_for_1.html
Cheers
How can I update 1.8.7 to
How can I update 1.8.7 to 1.9 ? I'm using cpanel and RHE3
Thanks
update
Go ahead and just redo the install guide but do not re-insert the rules. All you have to do is recompile it and install it the old ruleset will work fine :)
Think I see a problem with code
Hello. I'm new to mod_security so I could be wrong, but I think this line:
SecFilterSelective THE_REQUEST "/../../ "
should instead be:
SecFilterSelective THE_REQUEST "/\.\./\.\./ "
Notice the backslashes in front of the two dots, which tell the regular expression to match literally "/../../" instead of any two two-character strings separated by slashes eg: "/ab/cd/". I actually do have a site that has a directory structure like that, and I am using the configuration on this page for mod_security. I have made that change to my server's mod_security rules, and it has fixed a problem with mod_security blocking parts of their site.
problems
[root@vps262 apache2]# /usr/sbin/apxs -cia mod_security.c
/usr/bin/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -march=i386 -mcpu=i686 -DSSL_EXPERIMENTAL_ENGINE -I/usr/kerberos/include -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -pthread -I/usr/include/httpd -c -o mod_security.lo mod_security.c && touch mod_security.slo
sh: line 1: /usr/bin/libtool: No such file or directory
apxs:Error: Command failed with rc=8323072
OS ?
What OS are you running?
Re: problems
It appears you're running RHEL /CentOS 3.6 or something. In that case, run;
# up2date -i httpd-devel && yum install gcc cpp libtool
Don't forget to remove the installed devel tools and their dependencies after you've successfully upgraded mod_security;
# yum remove httpd-devel libtool gcc cpp autoconf automake glibc-devel glibc-headers glibc-kernheaders
mod_sec
Yes, I'm running RHE3 with Virtuozzo & Plesk installed
---------------------
[root@vps262 root]# up2date -i httpd-devel && yum install gcc cpp libtool
Fetching Obsoletes list for channel: rhel-i386-es-3...
Fetching Obsoletes list for channel: rhel-i386-es-3-extras...
Fetching Obsoletes list for channel: rhel-i386-es-3-devsuite...
Fetching rpm headers...
########################################
Name Version Rel
----------------------------------------------------------
The following packages you requested are already updated:
httpd-devel
Gathering header information file(s) from server(s)
Server: Atomic Rocket Turtle - 3ES - Atomic PSA-Compatible RPMS
Server: Atomic Rocket Turtle - 3ES - SW-Soft PSA 7.5 RPMS
Finding updated packages
Downloading needed headers
gcc is installed and is the latest version.
cpp is installed and is the latest version.
Cannot find a package matching libtool
No actions to take
more...
so i've tryed to remove and reinstall, but nothing..
----
[root@vps262 apache2]# yum remove httpd-devel libtool gcc cpp autoconf automake glibc-devel glibc-headers glibc-kernheaders
Gathering header information file(s) from server(s)
Server: Atomic Rocket Turtle - 3ES - Atomic PSA-Compatible RPMS
Server: Atomic Rocket Turtle - 3ES - SW-Soft PSA 7.5 RPMS
Finding updated packages
Downloading needed headers
Erase: No matches for libtool
Erase: No matches for autoconf
Erase: No matches for automake
Resolving dependencies
Dependencies resolved
I will do the following:
[erase: cpp 3.2.3-53.i386]
[erase: httpd-devel 2.0.46-54.ent.i386]
[erase: glibc-kernheaders 2.4-8.34.2.i386]
[erase: glibc-headers 2.3.2-95.37.i386]
[erase: glibc-devel 2.3.2-95.37.i386]
[erase: gcc 3.2.3-53.i386]
Is this ok [y/N]: y
Downloading Packages
Running test transaction:
Test transaction complete, Success!
Erasing: glibc-headers 1/6
Erasing: cpp 2/6
Erasing: httpd-devel 3/6
Erasing: glibc-kernheaders 4/6
Erasing: glibc-devel 5/6
Erasing: gcc 6/6
Erased: cpp 3.2.3-53.i386 httpd-devel 2.0.46-54.ent.i386 glibc-kernheaders 2.4-8.34.2.i386 glibc-headers 2.3.2-95.37.i386 glibc-devel 2.3.2-95.37.i386 gcc 3.2.3-53.i386
Transaction(s) Complete
[root@vps262 apache2]#
----------
libtool
Ok so do
find / |grep libtool
see if you can find it someplace else on the system
lwp-download
If you have perl-libwww-perl installed, make sure to block lwp-download
as well - we have seen quite a lot of attacks starting to use it after they fail with wget,curl,fetch etc. :)
problems with WP URL Pattern
This rule - SecFilterSelective THE_REQUEST "/../../ " - creates problem with Wordpress default URL pattern...
i.e. if someone types http://www.example.com/2005/12/29/
it will show error
You can update the ruleset and fix it.
Regards,
Deep
WP
Interesting, thank you for pointing that out I have removed the rule.
solution
the DOT is taken as a character so two dots means 2 characters
: which is matching here 2 numbers 12 or 29 this matches
i.e. if someone types http://www.example.com/2005/12/29/
-------
escape dots
so the rule will be :
/\.\./\.\./
---------------------------
rOCk-MaStEr
SecurityGurus[d0t]Net
---------------------------
I tried to insert this in
I tried to insert this in whm > mod security > edit config
but nothing happened when I insert / click submit. If I click none it works, if I leave blank and hit submit it refreshes.
Where to put rules?
Instead of httpd.conf, can I put these in /usr/local/apache/conf/mod.sec.conf?
mod-sec
Yes but make sure you have an Include for that file so it gets read
Front Page issue?
I installed mod_security on my cpanel server 2 days ago. and ever since, the ability to save via front page has become impossible. are the 2 related?
Regards,
Kryss
Stephanridge Hosting
http://stephanridge.com
FP
It should not be, have you tried look at the audit log?
fp
My datacenter said to enter this
###########################################
#Front page exclusions
###########################################
SecFilterInheritance Off
which I did, but I still get a 500 error
Regards,
Kryss
Stephanridge Hosting
http://stephanridge.com
Some extra rules i use
Anti-Leech Filters:
====================================================
#Comment spam header line
SecFilter "^x-aaaaaaaaaa"
#check for bad meta characters in User-Agent field
SecFilterSelective HTTP_USER_AGENT ".*\'"
#XSS in the UA field
SecFilterSelective HTTP_USER_AGENT "<*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)*>"
#Exploit agent
SecFilterSelective HTTP_USER_AGENT "Mosiac 1\.*"
#Bad agent
SecFilterSelective HTTP_USER_AGENT "Brutus/AET"
#CGI vuln scan tool
SecFilterSelective HTTP_USER_AGENT cgichk
SecFilterSelective HTTP_USER_AGENT "DataCha0s/2\.0"
#Damn fine UA
SecFilterSelective HTTP_USER_AGENT ".*THIS IS AN EXPLOIT*"
SecFilterSelective HTTP_USER_AGENT "Morzilla"
#CIRT.DK Webroot auditing tool
SecFilterSelective HTTP_USER_AGENT ".*WebRoot "
#Exploit UA
SecFilterSelective HTTP_USER_AGENT ".*T H A T \' S G O T T A H U R T*"
#XML RPC exploit tool
SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*"
#A friendly little exploit banner for a WP vuln
SecFilterSelective HTTP_USER_AGENT "Wordpress Hash Grabber"
#Web leaches
SecFilterSelective HTTP_USER_AGENT EmailCollector
SecFilterSelective HTTP_USER_AGENT EmailWolf
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT webbandit
SecFilterSelective HTTP_USER_AGENT WebCopier
SecFilterSelective HTTP_USER_AGENT Webster
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT EmailSiphon
SecFilterSelective HTTP_USER_AGENT Extractorpro
SecFilterSelective HTTP_USER_AGENT "Web Downloader"
SecFilterSelective HTTP_USER_AGENT WebEMailExtrac
SecFilterSelective HTTP_USER_AGENT WebStripper
SecFilterSelective HTTP_USER_AGENT "teleport pro"
====================================================
That is only 1 set of a large set of filters i use. If youd like more, just let me know.
Squirrelmail problem
Problem in compose emails in squirrelmail
__________________________________
Forbiden
You don't permission to access /webmail/src/compose.php on this server.
__________________________________
Ideas?
Squirrel mail
check the /usr/local/apache/logs/audit_log I bet you will find the rule causing the problems.
That may also be a permission error if nothing is in the audit_log
In
In audit_log
#################################
==31288326==============================
Request: www.domain.com 209.82.111.87 - - [28/Feb/2006:14:33:27 --0500] "POST /webmail/src/compose.php HTTP/1.1" 403 296
"http://www.domain.com/webmail/src/compose.php?passed_id=2&mailbox=INBOX&startMessage=1&passed_ent_id=0&smaction=reply_
all" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 5sQtSEMPSBUAADYN8hQAAAAN "-"
Handler: php-script
----------------------------------------
POST /webmail/src/compose.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, applica
tion/msword, application/x-shockwave-flash, */*
Referer: http://www.domain.com/webmail/src/compose.php?passed_id=2&mailbox=INBOX&...
=reply_all
Accept-Language: en-us
Content-Type: multipart/form-data; boundary=---------------------------7d625e3050402
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.domain.com
Content-Length: 13354
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: key=TiYx%2FQNZwg%3D%3D; SQMSESSID=c14cabae55719c8ba2b6c632414790ed
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "cc:" at POST_PAYLOAD
13354
-----------------------------7d625e3050402
#################################
Squirrel mail
mod_security-message: Access denied with code 403. Pattern match "cc:" at POST_PAYLOAD
Remove the "cc:" rule and try again. SM does have some issues with the spamming rules and you may have to remove all of them.
Thank you very much
Muchas gracias.
Comment three rules to work fine, why?
I have installed mod_security fine, but i must comment three directives of mod security and work fine.
the errors messages:
mod_security-message: Access denied with code 500. Pattern match "../" at REQUEST_URI
mod_security-action: 500
-----
mod_security-message: Access denied with code 500. Pattern match "^$" at HEADER("USER-AGENT")
mod_security-action: 500
I did comment these commands in httpd.conf:
#SecFilterSelecteve "HTTP_USER_AGENT|HTTP_HOST" "^$"
#SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
#SecFilter "<(.|n)+>"
----
but, my question is why i must comment that? is it danegrous?
thanks
user agent
That is the user-agent or the browser. What browser are you using when it detects that? I have never really had problems with that rule.
The browser is mozilla
The browser is mozilla firefox
FrontPage error 403
FrontPage is giving 403 errors after applying your ms rules
http://forums.cpanel.net/attachment.php?attachmentid=720
http://forums.cpanel.net/attachment.php?attachmentid=721
I tailed apache logs and got this:
[Sun Mar 5 08:56:02 2006] [error] [client xxx.117.103.182] mod_security: Access denied with code 403. Pattern match "cc:" at POST_PAYLOAD [hostname "myhostdomain.com"] [uri "/_vti_bin/_vti_aut/author.exe"]
So clearly it is mod_security causing this. How do I correct this please?
mod-sec
Yes look at the rule "cc:" that is the pattern that was matched. Simply remove it from the mod_security ruleset. I personally do not run frontpage and hate it so I have not spent any time double checking it. If you use frontpage a lot mod_security will tend to mess it up...
For people who are having
For people who are having problems with publishing under Frontpage, it's these lines:
SecFilterSelective POST_PAYLOAD "cc:"
SecFilterSelective POST_PAYLOAD "cc:\x20"
As mentioned above, these lines can also break Squirrelmail.
You can comment them out or use this:
###########################################
#Front page exclusions
###########################################
< LocationMatch "/_vti_bin/_vti_aut/author.exe" >
SecFilterInheritance Off
< /LocationMatch >
argument seperator addition... but how?
I get requests like:
/forum/index.php?PHPSESSID=a93e99e5fddf254eeab23bd5b9725579; HTTP/1.1
/frm/index.php?PHPSESSID=234f4650986e927142bf23c33d807ee6;topic=137.new HTTP/1.1
/frm/index.php?PHPSESSID=234f4650986e927142bf23c33d807ee6;board=10.0 HTTP/1.1
/forum/index.php?PHPSESSID=77d5ed1dfdb8dc18e8e3b61ff7896c1c;topic=9.new HTTP/1.1
/forum/index.php?PHPSESSID=44739390b8bc8980c9fccf0606fb5c79;topic=9.new HTTP/1.1
and they are all blocked with:
Access denied with code 406. Pattern match "!^[0-9a-z]*$" at ARG("PHPSESSID")
How do I add ; to the argument seperators?
For ploblems in squirrelmail an horde
# Esclusions for Squirrel mail and Horde postings
< LocationMatch "/horde/imp/compose.php" >
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
SecFilterInheritance Off
< /LocationMatch >
/etc/passwd
You might want to add SecFilterSelective THE_REQUEST "/etc/passwd"
Hi
We are using Vbulletin in our server and it allways getting forbidden error any one know how to tune mod_security to work vbullting,
mod_sec and vbb
The ruleset above should work for most forums. If you are having trouble look at the audit_log and figure out what rule is triggering it.
Squirrelmail "Forward" message does not work!
H,
I have mod_security installed and users can not use the
Forward
function in Squirrelmail 1.46 and they get:
----------------------------
Internal Server Error
The server encountered an internal error or misconfiguration and was unable
to complete your request.
Please contact the server administrator, me@myemail and inform them of the
time the error occurred, and anything you might have done that may have
caused the error.
More information about this error may be available in the server error log.
----------------------------------------
In audit_log I have this:
---------------------------------
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match
"\\n[[:space:]]*(to|b?cc)[[:space:]]*:.*@" at ARGS_VALUES("body")seveverity $"EMERGENCY"]
---------------------------------
Is this the problem?
What can I do?
"Compose" or "reply" a message work fine though!
Any help would be Great!
Thanks
Roberto
Some WebSite problems after install
Hey eth00,
Great guide here. However, after installing and applying your ruleset, some minor functions in my billing/client management software, WHMCS (http://whmcs.com), do not seem to be working-- specifically on the order form where clients choose a billing cycle. Here is some output that I am getting from the audit_log file.
"==c46f5334==============================
Request: members.websolvents.com 71.28.19.106 - - [14/Jul/2006:00:14:28 -0400] "POST /includes/orderfo$
Handler: application/x-httpd-php
----------------------------------------
POST /includes/orderform3.php?action=showpackagedetails&id=0000000001&billingcycle= HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;$
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=30f149f523954fe6fd37ce775912a169
Host: members.websolvents.com
Keep-Alive: 300
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "^$" at HEADER("Content-Length") [sev$
HTTP/1.1 403 Forbidden
Keep-Alive: timeout=15, max=94
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--c46f5334--"
Any ideas?
-Kyle
mod_sec
mod_security-message: Access denied with code 403. Pattern match "^$" at HEADER("Content-Length") [sev$
Go ahead and remove the "^$" rule and you should be fine.
Where do we paste the
Where do we paste the rulset?
Literally, below "AddModule mod_security.c" inside httpd.conf?
Addmoule
There is a huge list of addmodule lines in apache, just paste it below one of them the actual position does not matter.
Hmmm, only 120 lines in this
Hmmm, only 120 lines in this ruleset. The default ruleset is over 700 lines. Why so little compared to the default ruleset? Also, are snort rules similar to mod_security rules?
This rule not work on Apache 2.2.6 and modsec 2x
Hello
How can I import this rule set on my system ? Apache 1.3.36 working prerfectly but 2.2.6 not...
These rules are not setup
These rules are not setup for mod_security version 2 yet, I am working on getting a new ruleset for version 2 in time.