Older mod_security ruleset still active

Bdzzld

• May 03, 2016 16:12

Hi, I'm running the OWASP mod_security ruleset on our servers. At least one of these servers is however blocking genuine traffic due to a "WEB_ATTACK/COMMAND_INJECTION" rule. The "WEB_ATTACK/COMMAND_INJECTION" rule however seems to be a remnant from the older cPanel mod_security ruleset. How can this older ruleset be disabled or removed as it seems to block genuine traffic? I only want to use the newest ruleset Thanks.

• 

  Bdzzld

  • May 05, 2016 09:52

  Very strange no one replied to this thread as... Found the solution myself by replacing /usr/local/apache/conf/modsec2.user.conf with an empty file and then restarting httpd.

  0
• 

  Infopro

  • May 05, 2016 10:16

  Not the best way to solve an issue with a specific rule I don't think. Each rule should have an ID, that ID can be whitelisted. Or, in that file you replaced completely, you could have simply remarked out the specific rule with, #

  0
• 

  Bdzzld

  • May 05, 2016 10:50

  @Infopro : I agree, but the rules in that file were remnants of a time when mod_security rules were added via an editor window. These days they 've all been replaced (and updated!) by the OWASP ModSecurity Core Rule Set.

  0

Please sign in to leave a comment.