Server Administration & Management

Customizing a rule regarding Mod_Security

If you need to customize a rule do not change the asl*conf files. These files will be overwritten by updates. If you need to change a rule because it is incorrectly blocking something we recommend you report it to use as a False Postive, using the Reporting_False_Positives procedure. If you simply want to modify a rule to perform different actions, then copy the entire rule into your own rule file, and make sure you tell mod_security not to enable the original ASL rule. You can do that by using the mod_security action SecRuleRemoveById. Here is a simple example:

If you had an original rule like this:

 SecRule REQUEST_URI “/foo” “t:normalisePath,id:9000000,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block /foo'”

And you want it to block “bar” instead of “foo”, then you would copy the entire rule into your own custom rule file. If you are using our rules we recommend you use the filename 99_asl_zzz_custom.confm and change the id: field to an unused ID.

 SecRuleRemoveById 9000000
 SecRule REQUEST_URI “/bar” “t:normalisePath,id:9999999,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block /foo'”

These are the reserved ranges:

*     1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others.
*     100,000-199,999; reserved for internal use of the engine, to assign to rules that do not have explicit IDs.
*     200,000-299,999; reserved for rules published at modsecurity.org.
*     300,000-399,999; reserved for rules published at gotroot.com.
*     400,000-419,999; unused (available for reservation).
*     420,000-429,999; reserved for ScallyWhack.
*     430,000-699,999; unused (available for reservation).
*     700,000-799,999; reserved for Ivan Ristic.
*     900,000-999,999; reserved for the Core Rules project.
*     1,000,000 and above; unused (available for reservation).


June 29, 2011 - Posted by | Mod_Security |

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: