Atomicorp Repo: Mod_Security 2.7.1 rule compatibilitiy

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
jas8522
Forum User
Forum User
Posts: 52
Joined: Mon Jan 09, 2006 4:02 pm

Atomicorp Repo: Mod_Security 2.7.1 rule compatibilitiy

Unread post by jas8522 »

It seems that the release of mod_security 2.7.1 doesn't quite coincide with compatible rules in the delayed feed. Through a normal yum update, my boxes updated mod_security from the atomicorp free RPMs Repo, then ran into rule compatibility issues. I then updated to the latest delayed feed rules (modsec-201209270654) and ended up with the following error:

Code: Select all

ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/10_asl_antimalware.conf:30).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/10_asl_rules.conf:36).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/11_asl_data_loss.conf:31).
Syntax error on line 38 of /etc/httpd/modsecurity.d/15_asl_paranoid_rules.conf:
ModSecurity: Found another rule with the same id
This error refers to: id:343013 which is also found in 10_asl_rules.conf on line 90. I then disabled 15_asl_paranoid_rules.conf and was able to get configtest to pass, but still had a number of warnings:

Code: Select all

ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/10_asl_antimalware.conf:30).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/10_asl_rules.conf:36).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/11_asl_data_loss.conf:31).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/20_asl_useragents.conf:34).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/30_asl_antispam.conf:33).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/50_asl_rootkits.conf:41).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/60_asl_recons.conf:37).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/61_asl_recons_dlp.conf:37).
ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated (/etc/httpd/modsecurity.d/99_asl_jitp.conf:45).
Syntax OK
Even if the warnings aren't fixed up until a later delayed ruleset release, that seems acceptable, but it would be nice to get the error repaired in the next rules update so as to at least make the Atomicorp repo compatible with the delayed rules feed.

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Atomicorp Repo: Mod_Security 2.7.1 rule compatibilitiy

Unread post by mikeshinn »

Thank you for your questions. Unlike the OWASP rules, the delayed rules work just fine with 2.7.1 right now. You can ignore the deprecated error, but if you want a ruleset that doesnt have that error, use the real time rules, its already been upgraded for 2.7.x and no longer uses transforms in that manner.

As you know, the delayed rules are a delayed subset of the real time rules, so they will always be behind the real time rules by at least 90 days.
Syntax error on line 38 of /etc/httpd/modsecurity.d/15_asl_paranoid_rules.conf:
ModSecurity: Found another rule with the same id
Yes, thats expected. Please see the documentation on that ruleset:

https://www.atomicorp.com/wiki/index.ph ... rules.conf

"These are a special version of the 10_asl_rules.conf file, they use the same rule id:s as the 10_asl_rules.conf file. Therefore, you can not use these rules along with the 10_asl_rules.conf file. You can use one, or the other, but not both.

These rules are a paranoid replacement for the 10_asl_rules.conf file. These rules do not contain any known safe mode application tuning exceptions or bypasses. These rules will generate false positives. These rules are made available for users that wish to tune their own rules, and do not wish to use a ruleset that has been tuned for false positives."
Post Reply