Server Administration & Management

Customizing a rule regarding Mod_Security

If you need to customize a rule do not change the asl*conf files. These files will be overwritten by updates. If you need to change a rule because it is incorrectly blocking something we recommend you report it to use as a False Postive, using the Reporting_False_Positives procedure. If you simply want to modify a rule to perform different actions, then copy the entire rule into your own rule file, and make sure you tell mod_security not to enable the original ASL rule. You can do that by using the mod_security action SecRuleRemoveById. Here is a simple example:

If you had an original rule like this:

 SecRule REQUEST_URI “/foo” “t:normalisePath,id:9000000,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block /foo'”

And you want it to block “bar” instead of “foo”, then you would copy the entire rule into your own custom rule file. If you are using our rules we recommend you use the filename 99_asl_zzz_custom.confm and change the id: field to an unused ID.

 SecRuleRemoveById 9000000
 SecRule REQUEST_URI “/bar” “t:normalisePath,id:9999999,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block /foo'”

These are the reserved ranges:

*     1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others.
*     100,000-199,999; reserved for internal use of the engine, to assign to rules that do not have explicit IDs.
*     200,000-299,999; reserved for rules published at modsecurity.org.
*     300,000-399,999; reserved for rules published at gotroot.com.
*     400,000-419,999; unused (available for reservation).
*     420,000-429,999; reserved for ScallyWhack.
*     430,000-699,999; unused (available for reservation).
*     700,000-799,999; reserved for Ivan Ristic.
*     900,000-999,999; reserved for the Core Rules project.
*     1,000,000 and above; unused (available for reservation).

June 29, 2011 Posted by | Mod_Security | | Leave a comment