Differences

This shows you the differences between two versions of the page.

--- modsecurity:setting_up_rules [2016/10/14 14:04] – peter
+++ modsecurity:setting_up_rules [2019/11/30 14:19] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== ModSecurity - Setting Up Rules ======
-To make your life easier, there are a lot of rules which are already installed along with mod_security.  These are called **CRS (Core Rule Set)** and are located in
-<code bash>
-ls -l /usr/share/modsecurity-crs/
-</code>
-Returns
-<code bash>
-total 40
-drwxr-xr-x 2 root root  4096 Oct 20 09:45 activated_rules
-drwxr-xr-x 2 root root  4096 Oct 20 09:45 base_rules
-drwxr-xr-x 2 root root  4096 Oct 20 09:45 experimental_rules
-drwxr-xr-x 2 root root  4096 Oct 20 09:45 lua
--rw-r--r-- 1 root root 13544 Jul  2  2012 modsecurity_crs_10_setup.conf
-drwxr-xr-x 2 root root  4096 Oct 20 09:45 optional_rules
-drwxr-xr-x 3 root root  4096 Oct 20 09:45 util
-</code>
-The documentation is available at
-<code bash>
-ls -l /usr/share/doc/modsecurity-crs/
-</code>
-Returns
-<code bash>
-total 40
--rw-r--r-- 1 root root   469 Jul  2  2012 changelog.Debian.gz
--rw-r--r-- 1 root root 12387 Jun 18  2012 changelog.gz
--rw-r--r-- 1 root root  1297 Jul  2  2012 copyright
-drwxr-xr-x 3 root root  4096 Oct 20 09:45 examples
--rw-r--r-- 1 root root  1138 Mar 16  2012 README.Debian
--rw-r--r-- 1 root root  6495 Mar 16  2012 README.gz
-</code>
-To load these rules, we need to tell Apache to look into these directories.  Edit the **modsecurity.conf** file.
-<code bash>
-vi /etc/apache2/mods-enabled/modsecurity.conf
-</code>
-Add the following directives inside **<IfModule security2_module> </IfModule>**:
-<file bash /etc/apache2/mods-enabled/modsecurity.conf>
-Include "/usr/share/modsecurity-crs/*.conf"
-Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
-</file>
-The **activated_rules** directory is similar to Apache's **mods-enabled** directory.  The rules are available in directories:
-<code bash>
-/usr/share/modsecurity-crs/base_rules
-/usr/share/modsecurity-crs/optional_rules
-/usr/share/modsecurity-crs/experimental_rules
-</code>
-Symlinks must be created inside the **activated_rules** directory to activate these.  Let us activate the SQL injection rules.
-<code bash>
-cd /usr/share/modsecurity-crs/activated_rules/
-ln -s /usr/share/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf .
-</code>
-Apache has to be reloaded for the rules to take effect.
-<code bash>
-service apache2 reload
-</code>
-Now open the login page we created earlier and try using the SQL injection query on the username field. If you had changed the **SecRuleEngine** directive to **On**, you'll see a **403 Forbidden error**.  If it was left to the **DetectionOnly** option, the injection will be successful but the attempt would be logged in the **modsec_audit.log** file.