Page 1 of 1

00_asl_rbl.conf loaded by default when using delayed rules?

Posted: Mon Oct 31, 2011 6:00 am
by kirkre
Hello. I'm using the GotRoot delayed modsecurity rules. I find that 00_asl_rbl.conf is being loaded, even though I do not have this specifically loaded in 00_mod_security.conf. Is 00_asl_rbl.conf supposed to be loaded by default when using the delayed rules? What is the best practice if I want to disable this? I commented out the unwanted xbl.spamhaus.org rule in 00_asl_rbl.conf for now, but not sure if this is the best way to handle it.

In the instructions at https://www.atomicorp.com/wiki/index.ph ... rity_Rules it says to add this line to enable all rules:

Include /full/path/to/your/rules/modsecurity.d/*asl*.conf

I did not add this line, but I notice this in the <IfModule mod_security2.c> section of this conf:
# Rule management is handled by ASL
Include modsecurity.d/*asl*.conf

Could this be loading modules I did not intend to load? Should this be commented out in a setup that uses the delayed rules?

I appreciate being able to use these rules at all. Any help with this will be appreciated.

Thanks,

Kirk

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Posted: Mon Oct 31, 2011 8:33 am
by faris
Yes, basically that line will load all rules matching that regex that are in that directory. *IF* all your downloaded rules are in that directory then yes, everything matching will be loaded, including the rbl ruleset.

The simplest option is to remove that include line in the conf and then specifically load, by name, the rulesets you want. I don't know if this is the officially suggested method or not, but it should work.

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Posted: Mon Oct 31, 2011 12:05 pm
by mikeshinn
I don't know if this is the officially suggested method or not, but it should work.
It is:

https://www.atomicorp.com/wiki/index.ph ... _the_rules

"Then make sure you have this line are the bottom of 00_modsecurity.conf, if you want to load all the rules (please read the bottom of this wiki article for what each ruleset does, you may not want to load all the rules):

Include /full/path/to/your/rules/modsecurity.d/*asl*.conf

Or if you want to load some of the rules, make sure you specify only those rule files. For example:

Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf"


https://www.atomicorp.com/wiki/index.ph ... m_rulesets

"The recommended minimum ruleset to load is:

Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf

If you have modsecurity 2.6.1 and up installed, you should also load additional rule files and should use this ruleset:

Include /full/path/to/your/rules/modsecurity.d/00_asl_z_antievasion.conf
Include /full/path/to/your/rules/modsecurity.d/09_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/11_asl_adv_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf"

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Posted: Mon Oct 31, 2011 12:54 pm
by kirkre
Thanks mikeshinn. But is what faris says true?

<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.

# Basic configuration goes in here
Include modsecurity.d/modsecurity_crs_10_config.conf

# Rule management is handled by ASL
Include modsecurity.d/*asl*.conf

</IfModule>

If the line 'Include modsecurity.d/*asl*.conf' in the IfModule section of 00_mod_security.conf loads all the modules regardless, then I find the instructions confusing. The instructions talk about adding the *asl*.conf include to the bottom of 00_mod_security.conf which I assumed means outside of the IfModule section. If what faris says is correct, I think it would be clearer to mention in the instructions that this line needs to be removed from the IfModule section in delayed rule setups. Either way I am still not sure I have it right and would appreciate some clarification.

Thanks,

Kirk

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Posted: Mon Oct 31, 2011 1:53 pm
by kirkre
Thanks I got it now. The first time I read your replies I missed something and sent a further inquiry which hasn't shown up, maybe the moderator can delete it? Now I see that both your replies are crystal clear. Just needed another cup of tea before my brain was fully working :-)

Thanks,

Kirk

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Posted: Mon Oct 31, 2011 10:49 pm
by kirkre
I guess my confusion from the start was in thinking ANY of the includes were meant to go outside of the IfModule section.

If it takes a little effort to sort this out, it is still nothing compared to the effort it would take to get other mod security rule sets working without issue. Even with all the delayed rules added by mistake, RBL is the only one that has caused issues for us.