Delayed Rules whiltelist.txt file has odd domains in it...

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
pelsner
Forum User
Forum User
Posts: 5
Joined: Wed Oct 19, 2011 1:32 pm
Location: Texas

Delayed Rules whiltelist.txt file has odd domains in it...

Unread post by pelsner »

So I just updated my rules with last months free/delayed rule set.
My whitelist.txt file used to be empty and now suddenly has the following:

.google.com
127.0.0.1
owned-nets.blogspot.com
.progllc.com
.atomicorp.com
.gotroot.com
pastebin.com
pastie.org
goo.gl
bit.ly
doiop.com
tinyurl.com
readthisurl.com
memurl.com
dwarfurl.com
yandex.ru
test.com
h1.ripway.com
badguy.com
attacker.com
example.com

The 00_asl_whiltelist.conf file clearly says:

# Disable rules for hosts on the whitelist
# Be *VERY* careful about whom is whitelisted.

So, why would the latest rules already contain these (and some very well known hacker sites) already in the whitelist.txt file??
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Delayed Rules whiltelist.txt file has odd domains in it.

Unread post by mikeshinn »

whitelist.txt is not used by the rules. Its used by some special functions in ASL.
pelsner
Forum User
Forum User
Posts: 5
Joined: Wed Oct 19, 2011 1:32 pm
Location: Texas

Re: Delayed Rules whiltelist.txt file has odd domains in it.

Unread post by pelsner »

mikeshinn wrote:whitelist.txt is not used by the rules. Its used by some special functions in ASL.
Thanks Mike,

Isn't it also used within cPanel? That's where I'm using it. and I seem to remember somewhere in the documentation (and this may have changed since then) something like this:

gotroot.com rule 00_asl_whitelist.conf file defaults to: /etc/asl/whitelist
and needs to be changed to whitelist.txt for cPanel.

I changed in the 00_asl_whitelist.conf file

/etc/asl/whitelist to whitelist.txt
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Delayed Rules whiltelist.txt file has odd domains in it.

Unread post by mikeshinn »

Isn't it also used within cPanel?
If you mean cpanel with ASL, yes its used by ASL for something else but its not used by modsecurity. If you mean cpanel without ASL and just modsecurity, no its not used. whitelist.txt is not used by modsecurity. Its only used by ASL.
That's where I'm using it. and I seem to remember somewhere in the documentation (and this may have changed since then) something like this:

gotroot.com rule 00_asl_whitelist.conf file defaults to: /etc/asl/whitelist
and needs to be changed to whitelist.txt for cPanel.

I changed in the 00_asl_whitelist.conf file

/etc/asl/whitelist to whitelist.txt
That may be someone elses incorrect documentation you are referring to, we dont recommend you do that (nor do you need to, so not sure why anyone would recommend it, thats a pretty unnecessary thing to do).

/etc/asl/whitelist only contains IP addresses and CIDRs that you configure for your system. It does not contain domains, nor will domains work in that file. Its also blank, because that file is yours for you to put whatever IPs/ranges you want in it.

whitelist.txt is used by a completely differently element in ASL, it has nothing to do with modsecurity. So maybe thats why you are thinking the two are related. There are not, /etc/asl/whitelist and the whitelist.txt file have nothing to do with each other, so you can ignore the whitelist.txt file that comes with the rules. modsecurity does not use it.

Also, I'd recommend you change the rule back. Never change the rule files, there is no need to do so, and any update is going to really break your configuration if you change the rule files. If you have an issue with the rules you can report it as a false positive and we would be happy to fix it for free the same day its reported. You will find the process for doing that at the URL below, and really do appreciate any reports of False Positives - everyone benefits from better rules:

https://www.atomicorp.com/wiki/index.ph ... _Positives

And finally, a lot of incorrect information is out there on the net about how to configure modsecurity, so if you do have the rules setup as you described thats not from our documentation, so you way have followed someone elses documentaion and therefore may have other issues with your configuration. So please take a look at the URL below for our official documentation about how to configure our rules so that you have both an optimal and secure configuration.

https://www.atomicorp.com/wiki/index.ph ... rity_Rules
pelsner
Forum User
Forum User
Posts: 5
Joined: Wed Oct 19, 2011 1:32 pm
Location: Texas

Re: Delayed Rules whiltelist.txt file has odd domains in it.

Unread post by pelsner »

Thanks Michael,

That cleared up a lot :)

Regards,
Peter
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Delayed Rules whiltelist.txt file has odd domains in it.

Unread post by mikeshinn »

My pleasure. Please dont hesitate to ask for help in the future. :-)
Post Reply