====== Ubuntu - ModSecurity - Setting Up Rules ======

To make your life easier, there are a lot of rules which are already installed along with mod_security.

These are called **CRS (Core Rule Set)** and are located in

<code bash>
ls -l /usr/share/modsecurity-crs/
</code>

returns:

<code bash>
total 40
drwxr-xr-x 2 root root  4096 Oct 20 09:45 activated_rules
drwxr-xr-x 2 root root  4096 Oct 20 09:45 base_rules
drwxr-xr-x 2 root root  4096 Oct 20 09:45 experimental_rules
drwxr-xr-x 2 root root  4096 Oct 20 09:45 lua
-rw-r--r-- 1 root root 13544 Jul  2  2012 modsecurity_crs_10_setup.conf
drwxr-xr-x 2 root root  4096 Oct 20 09:45 optional_rules
drwxr-xr-x 3 root root  4096 Oct 20 09:45 util
</code>

The documentation is available at

<code bash>
ls -l /usr/share/doc/modsecurity-crs/
</code>

returns:

<code bash>
total 40
-rw-r--r-- 1 root root   469 Jul  2  2012 changelog.Debian.gz
-rw-r--r-- 1 root root 12387 Jun 18  2012 changelog.gz
-rw-r--r-- 1 root root  1297 Jul  2  2012 copyright
drwxr-xr-x 3 root root  4096 Oct 20 09:45 examples
-rw-r--r-- 1 root root  1138 Mar 16  2012 README.Debian
-rw-r--r-- 1 root root  6495 Mar 16  2012 README.gz
</code>

To load these rules, we need to tell Apache to look into these directories.  Edit the **modsecurity.conf** file.

<code bash>
vi /etc/apache2/mods-enabled/modsecurity.conf
</code>

Add the following directives inside **<IfModule security2_module> </IfModule>**:

<file bash /etc/apache2/mods-enabled/modsecurity.conf>
Include "/usr/share/modsecurity-crs/*.conf"
Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
</file>

The **activated_rules** directory is similar to Apache's **mods-enabled** directory.  The rules are available in directories:

<code bash>
/usr/share/modsecurity-crs/base_rules
/usr/share/modsecurity-crs/optional_rules
/usr/share/modsecurity-crs/experimental_rules
</code>

Symlinks must be created inside the **activated_rules** directory to activate these.  Let us activate the SQL injection rules.

<code bash>
cd /usr/share/modsecurity-crs/activated_rules/
ln -s /usr/share/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf .
</code>

Apache has to be reloaded for the rules to take effect.

<code bash>
service apache2 reload
</code>

Now open the login page we created earlier and try using the SQL injection query on the username field.

If you had changed the **SecRuleEngine** directive to **On**, you'll see a **403 Forbidden error**.

If it was left to the **DetectionOnly** option, the injection will be successful but the attempt would be logged in the **modsec_audit.log** file.