Home » Technology » Writing your own ModSecurity rules

Writing your own ModSecurity rules

ModSecurity is a module, which is available for Webservers, it implements a Web application firewall, in short a “WAF”.

firewall

Web application firewalls help network administrators to secure the calls that are being made to websites, i.e. to avoid all the common attacks like xss or sql injection attacks.

most of those solutions cost alot of money, thus theyre unfeasible for personal usage, ModSecurity is the only WAF that i am aware of which you can download and use for free.

i am not going into howto install it and configure it, as there are many very good tutorials on the web, which already feature that base process.

ModSecurity is using so called “rule files” that are being checked when the website is being browsed to, the base rule files already contain very good rules to secure common web applications and websites, but they are by no means all that usable out of the box.

most other tutorials tell you that you should disable rules if they interfer with your website, i dont like that solution, as it opens up possible security holes.

to start up, we create a new rule file within the /usr/share/modsecurity-crs directory, open it with our favorite text editor, i am a big fan of vim, as nowadays thats available on most servers by default.

i am calling my file modsecuritycrs48localexceptions.conf

now we check the mod security audit log for entries, to tell us which rules interfer with our website, a typical entry in that log file looks like this:

Now this tells us alot of stuff, first of all, we see that access to our website was denied (http error 403), modsecurity thinks it was an sql injection attack. the rule that was causing this has the id 981319 and is on line 70 of the file modsecurity_crs_41_sql_injection_attacks.conf

now we have a look at that file:

modsecurity offers a few ways to disable this rule in certain cases using regular expressions, a full listing of all modsecurity variables may be found in their reference manual

lets say we want to update that rule to exclude REQUEST_COOKIES:nf_wp_session…

we add the following to our modsecurity_crs_48_local_exceptions.conf file:

and restart our webserver. and that one error will be gone.

I hope you found my short tutorial useful, as usual, if you got any questions or got a better idea to do things, please let me know below.