Atomicorp

We cant speak for Plesk, they may have their own process for installing and configuring modsecurity, but modsecurity rules are not platform dependant. Simply load the rules into modsecurity on whatever platform you are using and theyll work.

Certainly, the supported rules provide a lot more information and support is provided for any issues the same day the issue is reported, updates for false positives for example are provided the same day they are reported, our goal is provide any update within an hour.

It looks like youre using the unsupported free rules, is that correct?

The rules are supported on any platform that supports modsecurity, that includes Centos 8.

Can you put ossec-maild into debug mode and share whats happening when its using an unusually high amount of CPU?

That means these options are disabled in ASL/AWP: Advanced Malware Removal Ruleset: off [MODERATE] https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_98_ADV_REDACTOR Just In Time Patches: off [HIGH] https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_99_JITP Basic Malware Removal Ruleset:...

So this error: 2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 >/dev/null -- httpd: Syntax error on line 1 of /etc/httpd/conf/httpd.conf: Syntax error on line 3 of /etc/httpd/conf.d/00_mod_security.conf: Cannot load modules/mod_security2.so into server: /etc/httpd/modules/mod_...

Unfortunately 0.102.x isnt supported on el6/7 it requires a version of the curl api thats not available for those platforms (which is also why epel doesnt have updates to 1.102.x either). clamav has basically abandoned el6/7 with this choice. clamav 1.102.x is going to need to be re-written in those...

WAF events are logged concurrently to the event data repository with one per event and are stored by default in this location on the system:

/var/asl/data/audit/apache

Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release. If youre using the comme...

Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:

asl -v

Sorry if I wasnt clear, the latest version of AEO has no limit. What version of AEO is the hub using?

Just run this command:

asl -v

They basically the same thing. You may want to disable some services that are used just with agents, like remoted but otherwise a standalone instance is an ossec server as opposed to an agent.

Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.

What version of OSSEC are you using?