00_asl_rbl.conf loaded by default when using delayed rules?

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
kirkre
Forum User
Forum User
Posts: 16
Joined: Mon Oct 31, 2011 5:34 am
Location: United States

00_asl_rbl.conf loaded by default when using delayed rules?

Unread post by kirkre »

Hello. I'm using the GotRoot delayed modsecurity rules. I find that 00_asl_rbl.conf is being loaded, even though I do not have this specifically loaded in 00_mod_security.conf. Is 00_asl_rbl.conf supposed to be loaded by default when using the delayed rules? What is the best practice if I want to disable this? I commented out the unwanted xbl.spamhaus.org rule in 00_asl_rbl.conf for now, but not sure if this is the best way to handle it.

In the instructions at https://www.atomicorp.com/wiki/index.ph ... rity_Rules it says to add this line to enable all rules:

Include /full/path/to/your/rules/modsecurity.d/*asl*.conf

I did not add this line, but I notice this in the <IfModule mod_security2.c> section of this conf:
# Rule management is handled by ASL
Include modsecurity.d/*asl*.conf

Could this be loading modules I did not intend to load? Should this be commented out in a setup that uses the delayed rules?

I appreciate being able to use these rules at all. Any help with this will be appreciated.

Thanks,

Kirk
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Unread post by faris »

Yes, basically that line will load all rules matching that regex that are in that directory. *IF* all your downloaded rules are in that directory then yes, everything matching will be loaded, including the rbl ruleset.

The simplest option is to remove that include line in the conf and then specifically load, by name, the rulesets you want. I don't know if this is the officially suggested method or not, but it should work.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Unread post by mikeshinn »

I don't know if this is the officially suggested method or not, but it should work.
It is:

https://www.atomicorp.com/wiki/index.ph ... _the_rules

"Then make sure you have this line are the bottom of 00_modsecurity.conf, if you want to load all the rules (please read the bottom of this wiki article for what each ruleset does, you may not want to load all the rules):

Include /full/path/to/your/rules/modsecurity.d/*asl*.conf

Or if you want to load some of the rules, make sure you specify only those rule files. For example:

Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf"


https://www.atomicorp.com/wiki/index.ph ... m_rulesets

"The recommended minimum ruleset to load is:

Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf

If you have modsecurity 2.6.1 and up installed, you should also load additional rule files and should use this ruleset:

Include /full/path/to/your/rules/modsecurity.d/00_asl_z_antievasion.conf
Include /full/path/to/your/rules/modsecurity.d/09_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/11_asl_adv_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf"
kirkre
Forum User
Forum User
Posts: 16
Joined: Mon Oct 31, 2011 5:34 am
Location: United States

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Unread post by kirkre »

Thanks mikeshinn. But is what faris says true?

<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.

# Basic configuration goes in here
Include modsecurity.d/modsecurity_crs_10_config.conf

# Rule management is handled by ASL
Include modsecurity.d/*asl*.conf

</IfModule>

If the line 'Include modsecurity.d/*asl*.conf' in the IfModule section of 00_mod_security.conf loads all the modules regardless, then I find the instructions confusing. The instructions talk about adding the *asl*.conf include to the bottom of 00_mod_security.conf which I assumed means outside of the IfModule section. If what faris says is correct, I think it would be clearer to mention in the instructions that this line needs to be removed from the IfModule section in delayed rule setups. Either way I am still not sure I have it right and would appreciate some clarification.

Thanks,

Kirk
kirkre
Forum User
Forum User
Posts: 16
Joined: Mon Oct 31, 2011 5:34 am
Location: United States

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Unread post by kirkre »

Thanks I got it now. The first time I read your replies I missed something and sent a further inquiry which hasn't shown up, maybe the moderator can delete it? Now I see that both your replies are crystal clear. Just needed another cup of tea before my brain was fully working :-)

Thanks,

Kirk
kirkre
Forum User
Forum User
Posts: 16
Joined: Mon Oct 31, 2011 5:34 am
Location: United States

Re: 00_asl_rbl.conf loaded by default when using delayed rul

Unread post by kirkre »

I guess my confusion from the start was in thinking ANY of the includes were meant to go outside of the IfModule section.

If it takes a little effort to sort this out, it is still nothing compared to the effort it would take to get other mod security rule sets working without issue. Even with all the delayed rules added by mistake, RBL is the only one that has caused issues for us.
Post Reply