[-]
[+]
|
Deleted |
mod_security-ix.changes
|
@@ -1,134 +0,0 @@
--------------------------------------------------------------------
-Wed Jan 11 06:34:21 UTC 2023 - Carsten Schoene <carsten.schoene@internetx.com>
-
-- Update to release 2.9.7
-
--------------------------------------------------------------------
-Thu Mar 17 10:30:16 UTC 2022 - Local OBS User <cs@linux-administrator.com>
-
-- Update to release 2.9.5
-
--------------------------------------------------------------------
-Mon Aug 23 11:39:54 UTC 2021 - Local OBS User <cs@linux-administrator.com>
-
-- Update to release 2.9.4
-
--------------------------------------------------------------------
-Wed Feb 5 09:52:49 UTC 2020 - Local OBS User <cs@linux-administrator.com>
-
-- Update to release 2.9.3
-
--------------------------------------------------------------------
-Wed May 16 06:44:59 UTC 2018 - cs@linux-administrator.com
-
-- Update to release 2.9.2
-
--------------------------------------------------------------------
-Thu Apr 9 09:26:32 UTC 2015 - cs@linux-administrator.com
-
-- Update to relesae 2.9.0
-- set PERL ENV var to /usr/bin/perl
-- drop mlogc-disable-force-sslv3.patch (TLSv1 is default now)
-
--------------------------------------------------------------------
-Fri Aug 8 17:29:19 UTC 2014 - cs@linux-administrator.com
-
-- Update to release 2.8.0
-
--------------------------------------------------------------------
-Sun Jan 5 16:20:52 UTC 2014 - cs@linux-administrator.com
-
-- enable --enable-htaccess-config
-
--------------------------------------------------------------------
-Thu Dec 19 23:23:46 UTC 2013 - cs@linux-administrator.com
-
-- Update to release 2.7.7
-
--------------------------------------------------------------------
-Tue Jul 30 17:01:30 UTC 2013 - cs@linux-administrator.com
-
-- Update to release 2.7.5
-
--------------------------------------------------------------------
-Thu Jul 11 19:33:18 UTC 2013 - cs@linux-administrator.com
-
-- build against asl-libxml2 for EL5 based systems
-
--------------------------------------------------------------------
-Sat Jun 29 17:00:16 UTC 2013 - cs@linux-administrator.com
-
-- added CVE-2013-2765.patch for 2.6.8 (included in 2.7.4)
-
--------------------------------------------------------------------
-Wed Jun 5 10:16:47 UTC 2013 - cs@linux-administrator.com
-
-- fix permissions in cleanup cron script
-
--------------------------------------------------------------------
-Mon May 27 17:02:32 UTC 2013 - cs@linux-administrator.com
-
-- Update to release 2.7.4 (only for >= SLE_11, >= EL6)
-
--------------------------------------------------------------------
-Fri Mar 29 17:31:45 UTC 2013 - cs@linux-administrator.com
-
-- Update to release 2.7.3 (only for >= SLE_11, >= EL6)
-
--------------------------------------------------------------------
-Fri Jan 25 20:10:39 UTC 2013 - cs@linux-administrator.com
-
-- Update to release 2.7.2 (only for >= SLE_11, >= EL6)
-
--------------------------------------------------------------------
-Sat Dec 29 10:33:37 UTC 2012 - cs@linux-administrator.com
-
-- Update to release 2.7.1 (only for >= SLE_11, >= EL6)
-
--------------------------------------------------------------------
-Wed Oct 3 08:10:36 UTC 2012 - cs@linux-administrator.com
-
-- Update to release 2.6.8
-
--------------------------------------------------------------------
-Sun Jul 29 15:58:38 UTC 2012 - cs@linux-administrator.com
-
-- Update to release 2.6.7
-
--------------------------------------------------------------------
-Wed Jul 18 07:05:49 UTC 2012 - cs@linux-administrator.com
-
-- disable Rule 340152
-
--------------------------------------------------------------------
-Tue Jul 3 08:30:53 UTC 2012 - cs@linux-administrator.com
-
-- disable Cross-Site Request Forgery (CSRF) rules
-- add cleanup cron for /var/asl/data/audit
-
--------------------------------------------------------------------
-Mon Jun 18 10:21:17 UTC 2012 - cs@linux-administrator.com
-
-- Update to release 2.6.6
- - added rule 391213 to default exclude list
-
--------------------------------------------------------------------
-Thu Mar 29 21:43:48 UTC 2012 - cs@linux-administrator.com
-
-- Update to release 2.6.5
-
--------------------------------------------------------------------
-Sat Jan 7 21:44:12 UTC 2012 - cs@linux-administrator.com
-
-- Update to release 2.6.3
-
--------------------------------------------------------------------
-Sun Oct 23 09:49:21 UTC 2011 - cs@linux-administrator.com
-
-- Update to release 2.6.2
-
--------------------------------------------------------------------
-Fri Jul 22 07:10:30 UTC 2011 - cs@linux-administrator.com
-
-- Update to release 2.6.1
-
|
[-]
[+]
|
Changed |
mod_security-ix.spec
^
|
|
[-]
[+]
|
Deleted |
CVE-2013-2765.patch
^
|
@@ -1,10 +0,0 @@
---- modsecurity-apache_2.6.8/apache2/msc_reqbody.c.orig 2013-06-29 18:56:31.446864803 +0200
-+++ modsecurity-apache_2.6.8/apache2/msc_reqbody.c 2013-06-29 18:56:45.354863561 +0200
-@@ -170,6 +170,7 @@
-
- /* Would storing this chunk mean going over the limit? */
- if ((msr->msc_reqbody_spilltodisk)
-+ && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
- && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
- {
- msc_data_chunk **chunks;
|
[-]
[+]
|
Deleted |
mlogc-disable-force-sslv3.patch
^
|
@@ -1,11 +0,0 @@
---- mlogc/mlogc.c.orig 2012-03-05 17:20:00.254555490 +0100
-+++ mlogc/mlogc.c 2012-03-05 17:20:10.430753985 +0100
-@@ -1214,7 +1214,7 @@
- curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
- curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
- /* SSLv3 works better overall as some servers have issues with TLS */
-- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
-+ /* curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3); */
- curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15);
- curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE);
- curl_easy_setopt(curl, CURLOPT_HEADER, TRUE);
|
[-]
[+]
|
Deleted |
modsecurity-2.9.1_curl-lower_7.34.patch
^
|
@@ -1,60 +0,0 @@
---- mlogc/mlogc.c.orig 2016-06-02 09:15:03.283648355 +0200
-+++ mlogc/mlogc.c 2016-06-02 10:59:44.378377602 +0200
-@@ -1270,33 +1270,36 @@
- }
-
-
-- /* Seems like CURL_SSLVERSION_TLSv1_2 is not supported on libcurl
-- * < v7.34.0
-- *
-- * version_num is a 24 bit number created like this:
-- * <8 bits major number> | <8 bits minor number> | <8 bits patch number>.
-- */
-- switch (tlsprotocol) {
-- case 0:
-- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
-- break;
-- case 1:
-- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
-- break;
-- case 2:
-- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
-- break;
-- default:
-- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
-- break;
-- }
- cmaj = curlversion->version_num >> 16;
- cmin = (curlversion->version_num & 0x00ff00) >> 8;
- cpat = (curlversion->version_num & 0x0000ff);
- /* If cURL version < v7.34.0, use TLS v1.x */
- if (cmaj <= 7 && cmin < 34) {
- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
-- }
-+#ifdef CURL_SSLVERSION_TLSv1_0
-+ } else {
-+ /* Seems like CURL_SSLVERSION_TLSv1_2 is not supported on libcurl
-+ * < v7.34.0
-+ *
-+ * version_num is a 24 bit number created like this:
-+ * <8 bits major number> | <8 bits minor number> | <8 bits patch number>.
-+ */
-+ switch (tlsprotocol) {
-+ case 0:
-+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
-+ break;
-+ case 1:
-+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
-+ break;
-+ case 2:
-+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
-+ break;
-+ default:
-+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
-+ break;
-+ }
-+#endif
-+ }
-
- curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15);
- curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE);
|
[-]
[+]
|
Deleted |
00_mod_security.conf.suse
^
|
@@ -1,18 +0,0 @@
-# Example configuration file for the mod_security Apache module
-
-#LoadModule security2_module modules/mod_security2.so
-#LoadModule unique_id_module modules/mod_unique_id.so
-# run:
-# a2enmod unique_id
-# a2enmod security2
-
-<IfModule mod_security2.c>
- # This is the ModSecurity Core Rules Set.
-
- # Basic configuration goes in here
- Include /etc/apache2/modsecurity.d/modsecurity_crs_10_config.conf
-
- # Rule management is handled by ASL
- Include /etc/apache2/modsec/*asl*.conf
-
-</IfModule>
|
[-]
[+]
|
Deleted |
modsec-clamscan.pl
^
|
@@ -1,50 +0,0 @@
-#!/usr/bin/perl
-#
-# modsec-clamscan.pl
-# ModSecurity for Apache (http://www.modsecurity.org)
-# Copyright (c) 2002-2007 Breach Security, Inc. (http://www.breach.com)
-#
-# This script is an interface between mod_security and its
-# ability to intercept files being uploaded through the
-# web server, and ClamAV
-
-# by default use the command-line version of ClamAV,
-# which is slower but more likely to work out of the
-# box
-$CLAMSCAN = "/usr/bin/clamscan";
-
-# using ClamAV in daemon mode is faster since the
-# anti-virus engine is already running, but you also
-# need to configure file permissions to allow ClamAV,
-# usually running as a user other than the one Apache
-# is running as, to access the files
-# $CLAMSCAN = "/usr/bin/clamdscan";
-
-if (@ARGV != 1) {
- print "Usage: modsec-clamscan.pl <filename>\n";
- exit;
-}
-
-my ($FILE) = @ARGV;
-
-$cmd = "$CLAMSCAN --stdout --no-summary $FILE";
-$input = `$cmd`;
-$input =~ m/^(.+)/;
-$error_message = $1;
-
-$output = "0 Unable to parse clamscan output [$1]";
-
-if ($error_message =~ m/: Empty file\.?$/) {
- $output = "1 empty file";
-}
-elsif ($error_message =~ m/: (.+) ERROR$/) {
- $output = "0 clamscan: $1";
-}
-elsif ($error_message =~ m/: (.+) FOUND$/) {
- $output = "0 clamscan: $1";
-}
-elsif ($error_message =~ m/: OK$/) {
- $output = "1 clamscan: OK";
-}
-
-print "$output\n";
|
[-]
[+]
|
Deleted |
modsec-clean_var-asl-data-audit
^
|
@@ -1,5 +0,0 @@
-#!/bin/bash
-nice -n 19 find /var/asl/data/audit -type d -mindepth 1 -cmin +30 -print0 | xargs -r -0 rm -rf
-mkdir -p /var/asl/data/audit
-chown -R %APAUSR%:%APAGRP% /var/asl/data/audit
-[ -x /usr/local/bin/modsec-permissions ] && /usr/local/bin/modsec-permissions || :
|
|
Deleted |
modsecurity-2.8.0.tar.bz2
^
|
|
Deleted |
modsecurity-2.9.0.tar.bz2
^
|
|
Deleted |
modsecurity-2.9.2.tar.bz2
^
|
|
Deleted |
modsecurity-2.9.3.tar.bz2
^
|
|
Deleted |
modsecurity-2.9.4.tar.bz2
^
|
|
Deleted |
modsecurity-2.9.5.tar.bz2
^
|
|
Deleted |
modsecurity-2.9.7.tar.bz2
^
|
|
Changed |
modsecurity-apache_2.5.12.tar.gz
^
|
|
Deleted |
modsecurity-apache_2.7.4.tar.bz2
^
|
|
Deleted |
modsecurity-apache_2.7.5.tar.bz2
^
|
|
Deleted |
modsecurity-apache_2.7.7.tar.bz2
^
|
[-]
[+]
|
Added |
modsecurity_crs_10_config--default.conf
^
|
@@ -0,0 +1,302 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.1.6.1
+# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# Configuration contained in this file should be customized
+# for your specific requirements before deployment.
+#
+# Next to each rule there is a description of what it does. Each
+# location where customization is needed is marked with "TODO". It
+# is recommended that you:
+#
+# 1) Keep a copy of the original file. This will allow you to use
+# the "diff" command to quickly see the changes. It will also
+# make upgrades to future rule sets easier.
+#
+# 2) Document your changes thoroughly.
+#
+# You are advised to start with ModSecurity in detection mode only.
+# Switch to protection when you are comfortable with your rule set.
+# For maximum protection monitor your logs on daily basis (or
+# better).
+#
+
+# TODO You may want to provide an error friendly message to your
+# users when you start rejecting requests. You can do this using
+# the Apache ErrorDocument directive. You should also add
+# mod_unique_id to your configuration and display the unique
+# request ID on the error page. This would allow your users to
+# report the request ID back to you so that you can investigate
+# the false positive (if that's what it is). A nice error page
+# usually reduces the impact of false positives on the users.
+#
+# The drawback of this user friendly approach is that it is
+# easier for the attackers to figure out there is an web
+# application firewall protecting the application.
+#
+# ErrorDocument 403 /path/to/error_document.php
+#
+# For more information see
+# http://httpd.apache.org/docs-2.0/custom-error.html
+
+
+## -- Configuration ----------------------------------------------------------
+
+# Turn ModSecurity on ("On"), set to monitoring only
+# ("DetectionOnly") or turn off ("Off").
+#
+SecRuleEngine On
+
+# Define which part of the HTTP transaction to inspect.
+#
+# Inspecting request body (SecRequestBodyAccess) should probably be always set
+# to "on". Only very high volume sites that never use POST requests might want
+# to set it to "off" to optimize performance.
+#
+# Inspecting response body is useful for monitoring for information leaks,
+# or for signs of intrusion. However, it does require all responses to be
+# buffered in memory. For most sites this should not be a problem, but special
+# care must be taken to avoid buffering file downloads (through
+# MIME type selection, as shown below).
+#
+# TODO If you decide to enable output filtering make sure to
+# review the list of scanned MIME types. If pages of the types specified
+# for outbound inspection are smaller than 512K in you application
+# (which is usually the case) you may reduce the SecResponseBodyLimit
+# to protect from potential denial of service attacks.
+#
+SecRequestBodyAccess On
+SecResponseBodyAccess On
+SecResponseBodyMimeType (null) text/html text/plain text/xml
+SecResponseBodyLimit 2621440
+
+
+# Initiate XML Processor in case of xml content-type
+#
+# TODO Uncomment this rule if you wish to parse
+# text/xml requests using the XML parser. Note
+# that this may cause considerable overhead in processing
+# text/xml requests.
+#SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+#"phase:1,pass,nolog,ctl:requestBodyProcessor=XML"
+
+
+# What to do when an error is encountered.
+#
+# The default is to log the error and let the request go through.
+# This is a reasonable setting to start with because you do not
+# want to reject legitimate requests with an untuned rule set.
+#
+# If, after monitoring the performance of the rule set after a
+# sufficient period, you determine the rules never (or rarely
+# trigger on legitimate requests) you can change to something
+# else, such as "log,deny,status:403". You can also leave the
+# default setting here as is, but use per rule action configuration
+# to only configure some rules to reject requests, leaving most
+# of them to work in detection mode.
+#
+#SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
+
+# Set web server identification string
+#
+# TODO In case you use Apache, you may want specify a simple server signature
+# instead of the detailed Apache default signature that list most modules
+# used on the specific Apache deployment:
+# "Apache/2.2.0 (Fedora)"
+# For this directive to work, you need to set Apache ServerTokens
+# to Full (this is the default option)
+SecServerSignature Apache
+
+# Add ruleset identity to the logs
+#
+SecComponentSignature 201001071602
+
+## -- File uploads configuration -----------------------------------------------
+# Temporary file storage path.
+#
+# TODO Change the temporary folder setting to a path where only
+# the web server has access.
+#
+SecUploadDir /var/asl/data/suspicious
+
+# Whether or not to keep the stored files.
+#
+# In most cases you don't want to keep the uploaded files (especially
+# when there is a lot of them). It may be useful to change the setting
+# to "RelevantOnly", in which case the files uploaded in suspicious
+# requests will be stored.
+#
+SecUploadKeepFiles Off
+
+# Inspect uploaded files.
+#
+# TODO If there is a danger of attack through uploaded files then it
+# is possible to configure an external script to inspect each file
+# before it is seen by the application. An example script is
+# included with ModSecurity (/util/modsec-clamscan.pl).
+#
+# Inspecting uploaded files is especially important in a hosting,
+# community or blogging environments where uploading files is permitted.
+#
+# NOTE the t:none action is required in order not to process the files names
+# passed to the script based on previously defined actions in a
+# SecDefaultAction directive.
+#
+# SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \
+# "t:none"
+
+## -- Logging ----------------------------------------------------------------
+
+# Whether to log requests to the ModSecurity audit log.
+#
+# By default, only requests that trigger a ModSecurity events (as detected
+# by) or a serer error are logged ("RelevantOnly"). This is a reasonable
+# setting. Full logging can be set by using # "on". If the system is used
+# for protection only and no logging is desired (not reccomended) logging can
+# be turned of using "off"
+#
+# NOTE It is also possible to configure forensic logging on the
+# per request basis using the "auditlog" and "noauditlog" rule
+# actions.
+#
+# TODO The default rule set logs requests that generate a 404 "file not found"
+# response. These events are interesting, but may log a lot of information.
+# you may consider removing it by setting SecAuditLogRelevantStatus
+# to "^(?:5|4\d[^4])".
+#
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+
+# Log files structure
+#
+# You can select to log all events to a single log file (set SecAuditLogType to
+# "Serial") or to log each request to a separate file (set it to "Concurrent").
+# The former is usually easier to use, but if full logging is required or if
+# the protected system supports a large transaction volume the later may
+# be a better option.
+#
+# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for
+# "Concurrent" logging).
+#
+# TODO If you change from "Serial" to "Concurrent" uncomment the
+# SecAuditLogStorageDir directive and make sure the direcory specified
+# exists and has write permissions for the Apache user.
+
+SecAuditLogType Concurrent
+SecAuditLog logs/audit_log
+# SecAuditLogStorageDir logs/modsec_audit
+
+# Select what portions of the request to log
+#
+# Modify the string by adding any of the letter below to it:
+# A - audit log header (mandatory)
+# B - request headers
+# C - request body (present only if the request body exists and ModSecurity is
|
[-]
[+]
|
Deleted |
modsecurity_crs_10_config-default.conf
^
|
@@ -1,302 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-# Configuration contained in this file should be customized
-# for your specific requirements before deployment.
-#
-# Next to each rule there is a description of what it does. Each
-# location where customization is needed is marked with "TODO". It
-# is recommended that you:
-#
-# 1) Keep a copy of the original file. This will allow you to use
-# the "diff" command to quickly see the changes. It will also
-# make upgrades to future rule sets easier.
-#
-# 2) Document your changes thoroughly.
-#
-# You are advised to start with ModSecurity in detection mode only.
-# Switch to protection when you are comfortable with your rule set.
-# For maximum protection monitor your logs on daily basis (or
-# better).
-#
-
-# TODO You may want to provide an error friendly message to your
-# users when you start rejecting requests. You can do this using
-# the Apache ErrorDocument directive. You should also add
-# mod_unique_id to your configuration and display the unique
-# request ID on the error page. This would allow your users to
-# report the request ID back to you so that you can investigate
-# the false positive (if that's what it is). A nice error page
-# usually reduces the impact of false positives on the users.
-#
-# The drawback of this user friendly approach is that it is
-# easier for the attackers to figure out there is an web
-# application firewall protecting the application.
-#
-# ErrorDocument 403 /path/to/error_document.php
-#
-# For more information see
-# http://httpd.apache.org/docs-2.0/custom-error.html
-
-
-## -- Configuration ----------------------------------------------------------
-
-# Turn ModSecurity on ("On"), set to monitoring only
-# ("DetectionOnly") or turn off ("Off").
-#
-SecRuleEngine On
-
-# Define which part of the HTTP transaction to inspect.
-#
-# Inspecting request body (SecRequestBodyAccess) should probably be always set
-# to "on". Only very high volume sites that never use POST requests might want
-# to set it to "off" to optimize performance.
-#
-# Inspecting response body is useful for monitoring for information leaks,
-# or for signs of intrusion. However, it does require all responses to be
-# buffered in memory. For most sites this should not be a problem, but special
-# care must be taken to avoid buffering file downloads (through
-# MIME type selection, as shown below).
-#
-# TODO If you decide to enable output filtering make sure to
-# review the list of scanned MIME types. If pages of the types specified
-# for outbound inspection are smaller than 512K in you application
-# (which is usually the case) you may reduce the SecResponseBodyLimit
-# to protect from potential denial of service attacks.
-#
-SecRequestBodyAccess On
-SecResponseBodyAccess On
-SecResponseBodyMimeType (null) text/html text/plain text/xml
-SecResponseBodyLimit 2621440
-
-
-# Initiate XML Processor in case of xml content-type
-#
-# TODO Uncomment this rule if you wish to parse
-# text/xml requests using the XML parser. Note
-# that this may cause considerable overhead in processing
-# text/xml requests.
-#SecRule REQUEST_HEADERS:Content-Type "text/xml" \
-#"phase:1,pass,nolog,ctl:requestBodyProcessor=XML"
-
-
-# What to do when an error is encountered.
-#
-# The default is to log the error and let the request go through.
-# This is a reasonable setting to start with because you do not
-# want to reject legitimate requests with an untuned rule set.
-#
-# If, after monitoring the performance of the rule set after a
-# sufficient period, you determine the rules never (or rarely
-# trigger on legitimate requests) you can change to something
-# else, such as "log,deny,status:403". You can also leave the
-# default setting here as is, but use per rule action configuration
-# to only configure some rules to reject requests, leaving most
-# of them to work in detection mode.
-#
-#SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
-
-# Set web server identification string
-#
-# TODO In case you use Apache, you may want specify a simple server signature
-# instead of the detailed Apache default signature that list most modules
-# used on the specific Apache deployment:
-# "Apache/2.2.0 (Fedora)"
-# For this directive to work, you need to set Apache ServerTokens
-# to Full (this is the default option)
-SecServerSignature Apache
-
-# Add ruleset identity to the logs
-#
-SecComponentSignature 201001071602
-
-## -- File uploads configuration -----------------------------------------------
-# Temporary file storage path.
-#
-# TODO Change the temporary folder setting to a path where only
-# the web server has access.
-#
-SecUploadDir /var/asl/data/suspicious
-
-# Whether or not to keep the stored files.
-#
-# In most cases you don't want to keep the uploaded files (especially
-# when there is a lot of them). It may be useful to change the setting
-# to "RelevantOnly", in which case the files uploaded in suspicious
-# requests will be stored.
-#
-SecUploadKeepFiles Off
-
-# Inspect uploaded files.
-#
-# TODO If there is a danger of attack through uploaded files then it
-# is possible to configure an external script to inspect each file
-# before it is seen by the application. An example script is
-# included with ModSecurity (/util/modsec-clamscan.pl).
-#
-# Inspecting uploaded files is especially important in a hosting,
-# community or blogging environments where uploading files is permitted.
-#
-# NOTE the t:none action is required in order not to process the files names
-# passed to the script based on previously defined actions in a
-# SecDefaultAction directive.
-#
-# SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \
-# "t:none"
-
-## -- Logging ----------------------------------------------------------------
-
-# Whether to log requests to the ModSecurity audit log.
-#
-# By default, only requests that trigger a ModSecurity events (as detected
-# by) or a serer error are logged ("RelevantOnly"). This is a reasonable
-# setting. Full logging can be set by using # "on". If the system is used
-# for protection only and no logging is desired (not reccomended) logging can
-# be turned of using "off"
-#
-# NOTE It is also possible to configure forensic logging on the
-# per request basis using the "auditlog" and "noauditlog" rule
-# actions.
-#
-# TODO The default rule set logs requests that generate a 404 "file not found"
-# response. These events are interesting, but may log a lot of information.
-# you may consider removing it by setting SecAuditLogRelevantStatus
-# to "^(?:5|4\d[^4])".
-#
-SecAuditEngine RelevantOnly
-SecAuditLogRelevantStatus "^(?:5|4(?!04))"
-
-# Log files structure
-#
-# You can select to log all events to a single log file (set SecAuditLogType to
-# "Serial") or to log each request to a separate file (set it to "Concurrent").
-# The former is usually easier to use, but if full logging is required or if
-# the protected system supports a large transaction volume the later may
-# be a better option.
-#
-# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for
-# "Concurrent" logging).
-#
-# TODO If you change from "Serial" to "Concurrent" uncomment the
-# SecAuditLogStorageDir directive and make sure the direcory specified
-# exists and has write permissions for the Apache user.
-
-SecAuditLogType Concurrent
-SecAuditLog logs/audit_log
-# SecAuditLogStorageDir logs/modsec_audit
-
-# Select what portions of the request to log
-#
-# Modify the string by adding any of the letter below to it:
-# A - audit log header (mandatory)
-# B - request headers
-# C - request body (present only if the request body exists and ModSecurity is
|
[-]
[+]
|
Deleted |
modsecurity_crs_10_config-default.conf.suse
^
|
@@ -1,302 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-# Configuration contained in this file should be customized
-# for your specific requirements before deployment.
-#
-# Next to each rule there is a description of what it does. Each
-# location where customization is needed is marked with "TODO". It
-# is recommended that you:
-#
-# 1) Keep a copy of the original file. This will allow you to use
-# the "diff" command to quickly see the changes. It will also
-# make upgrades to future rule sets easier.
-#
-# 2) Document your changes thoroughly.
-#
-# You are advised to start with ModSecurity in detection mode only.
-# Switch to protection when you are comfortable with your rule set.
-# For maximum protection monitor your logs on daily basis (or
-# better).
-#
-
-# TODO You may want to provide an error friendly message to your
-# users when you start rejecting requests. You can do this using
-# the Apache ErrorDocument directive. You should also add
-# mod_unique_id to your configuration and display the unique
-# request ID on the error page. This would allow your users to
-# report the request ID back to you so that you can investigate
-# the false positive (if that's what it is). A nice error page
-# usually reduces the impact of false positives on the users.
-#
-# The drawback of this user friendly approach is that it is
-# easier for the attackers to figure out there is an web
-# application firewall protecting the application.
-#
-# ErrorDocument 403 /path/to/error_document.php
-#
-# For more information see
-# http://httpd.apache.org/docs-2.0/custom-error.html
-
-
-## -- Configuration ----------------------------------------------------------
-
-# Turn ModSecurity on ("On"), set to monitoring only
-# ("DetectionOnly") or turn off ("Off").
-#
-SecRuleEngine On
-
-# Define which part of the HTTP transaction to inspect.
-#
-# Inspecting request body (SecRequestBodyAccess) should probably be always set
-# to "on". Only very high volume sites that never use POST requests might want
-# to set it to "off" to optimize performance.
-#
-# Inspecting response body is useful for monitoring for information leaks,
-# or for signs of intrusion. However, it does require all responses to be
-# buffered in memory. For most sites this should not be a problem, but special
-# care must be taken to avoid buffering file downloads (through
-# MIME type selection, as shown below).
-#
-# TODO If you decide to enable output filtering make sure to
-# review the list of scanned MIME types. If pages of the types specified
-# for outbound inspection are smaller than 512K in you application
-# (which is usually the case) you may reduce the SecResponseBodyLimit
-# to protect from potential denial of service attacks.
-#
-SecRequestBodyAccess On
-SecResponseBodyAccess On
-SecResponseBodyMimeType (null) text/html text/plain text/xml
-SecResponseBodyLimit 2621440
-
-
-# Initiate XML Processor in case of xml content-type
-#
-# TODO Uncomment this rule if you wish to parse
-# text/xml requests using the XML parser. Note
-# that this may cause considerable overhead in processing
-# text/xml requests.
-#SecRule REQUEST_HEADERS:Content-Type "text/xml" \
-#"phase:1,pass,nolog,ctl:requestBodyProcessor=XML"
-
-
-# What to do when an error is encountered.
-#
-# The default is to log the error and let the request go through.
-# This is a reasonable setting to start with because you do not
-# want to reject legitimate requests with an untuned rule set.
-#
-# If, after monitoring the performance of the rule set after a
-# sufficient period, you determine the rules never (or rarely
-# trigger on legitimate requests) you can change to something
-# else, such as "log,deny,status:403". You can also leave the
-# default setting here as is, but use per rule action configuration
-# to only configure some rules to reject requests, leaving most
-# of them to work in detection mode.
-#
-#SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
-
-# Set web server identification string
-#
-# TODO In case you use Apache, you may want specify a simple server signature
-# instead of the detailed Apache default signature that list most modules
-# used on the specific Apache deployment:
-# "Apache/2.2.0 (Fedora)"
-# For this directive to work, you need to set Apache ServerTokens
-# to Full (this is the default option)
-SecServerSignature Apache
-
-# Add ruleset identity to the logs
-#
-SecComponentSignature 201001071602
-
-## -- File uploads configuration -----------------------------------------------
-# Temporary file storage path.
-#
-# TODO Change the temporary folder setting to a path where only
-# the web server has access.
-#
-SecUploadDir /var/asl/data/suspicious
-
-# Whether or not to keep the stored files.
-#
-# In most cases you don't want to keep the uploaded files (especially
-# when there is a lot of them). It may be useful to change the setting
-# to "RelevantOnly", in which case the files uploaded in suspicious
-# requests will be stored.
-#
-SecUploadKeepFiles Off
-
-# Inspect uploaded files.
-#
-# TODO If there is a danger of attack through uploaded files then it
-# is possible to configure an external script to inspect each file
-# before it is seen by the application. An example script is
-# included with ModSecurity (/util/modsec-clamscan.pl).
-#
-# Inspecting uploaded files is especially important in a hosting,
-# community or blogging environments where uploading files is permitted.
-#
-# NOTE the t:none action is required in order not to process the files names
-# passed to the script based on previously defined actions in a
-# SecDefaultAction directive.
-#
-# SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \
-# "t:none"
-
-## -- Logging ----------------------------------------------------------------
-
-# Whether to log requests to the ModSecurity audit log.
-#
-# By default, only requests that trigger a ModSecurity events (as detected
-# by) or a serer error are logged ("RelevantOnly"). This is a reasonable
-# setting. Full logging can be set by using # "on". If the system is used
-# for protection only and no logging is desired (not reccomended) logging can
-# be turned of using "off"
-#
-# NOTE It is also possible to configure forensic logging on the
-# per request basis using the "auditlog" and "noauditlog" rule
-# actions.
-#
-# TODO The default rule set logs requests that generate a 404 "file not found"
-# response. These events are interesting, but may log a lot of information.
-# you may consider removing it by setting SecAuditLogRelevantStatus
-# to "^(?:5|4\d[^4])".
-#
-SecAuditEngine RelevantOnly
-SecAuditLogRelevantStatus "^(?:5|4(?!04))"
-
-# Log files structure
-#
-# You can select to log all events to a single log file (set SecAuditLogType to
-# "Serial") or to log each request to a separate file (set it to "Concurrent").
-# The former is usually easier to use, but if full logging is required or if
-# the protected system supports a large transaction volume the later may
-# be a better option.
-#
-# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for
-# "Concurrent" logging).
-#
-# TODO If you change from "Serial" to "Concurrent" uncomment the
-# SecAuditLogStorageDir directive and make sure the direcory specified
-# exists and has write permissions for the Apache user.
-
-SecAuditLogType Concurrent
-SecAuditLog /var/log/apache2/audit_log
-# SecAuditLogStorageDir /var/log/apache2/modsec_audit
-
-# Select what portions of the request to log
-#
-# Modify the string by adding any of the letter below to it:
-# A - audit log header (mandatory)
-# B - request headers
-# C - request body (present only if the request body exists and ModSecurity is
|
[-]
[+]
|
Deleted |
zzz_asl_custom_exclude.conf
^
|
@@ -1,24 +0,0 @@
-# do local changes in zzz_asl_custom_local_exclude.conf this file will be overwritten
-SecRuleRemoveById 350000
-SecRuleRemoveById 351000
-SecRuleRemoveById 350147
-SecRuleRemoveById 350148
-SecRuleRemoveById 340162
-SecRuleRemoveById 391213
-SecRuleRemoveById 340152
-
-# experimental
-SecRuleRemoveById 340202
-SecRuleRemoveById 340201
-SecRuleRemoveById 340204
-SecRuleRemoveById 340205
-SecRuleRemoveById 340206
-SecRuleRemoveById 340207
-SecRuleRemoveById 340208
-SecRuleRemoveById 340209
-SecRuleRemoveById 345400
-SecRuleRemoveById 345401
-SecRuleRemoveById 345402
-SecRuleRemoveById 345403
-SecRuleRemoveById 345404
-
|
[-]
[+]
|
Deleted |
zzz_asl_custom_local_exclude.conf
^
|
@@ -1 +0,0 @@
-# do local changes here, will not be overwritten
|