Ubuntu - ModSecurity - Setting Up Rules

To make your life easier, there are a lot of rules which are already installed along with mod_security.

These are called CRS (Core Rule Set) and are located in 

ls -l /usr/share/modsecurity-crs/

returns: 

total 40
drwxr-xr-x 2 root root  4096 Oct 20 09:45 activated_rules
drwxr-xr-x 2 root root  4096 Oct 20 09:45 base_rules
drwxr-xr-x 2 root root  4096 Oct 20 09:45 experimental_rules
drwxr-xr-x 2 root root  4096 Oct 20 09:45 lua
-rw-r--r-- 1 root root 13544 Jul  2  2012 modsecurity_crs_10_setup.conf
drwxr-xr-x 2 root root  4096 Oct 20 09:45 optional_rules
drwxr-xr-x 3 root root  4096 Oct 20 09:45 util

The documentation is available at 

ls -l /usr/share/doc/modsecurity-crs/

returns: 

total 40
-rw-r--r-- 1 root root   469 Jul  2  2012 changelog.Debian.gz
-rw-r--r-- 1 root root 12387 Jun 18  2012 changelog.gz
-rw-r--r-- 1 root root  1297 Jul  2  2012 copyright
drwxr-xr-x 3 root root  4096 Oct 20 09:45 examples
-rw-r--r-- 1 root root  1138 Mar 16  2012 README.Debian
-rw-r--r-- 1 root root  6495 Mar 16  2012 README.gz

To load these rules, we need to tell Apache to look into these directories. Edit the modsecurity.conf file. 

vi /etc/apache2/mods-enabled/modsecurity.conf

Add the following directives inside <IfModule security2_module> </IfModule>:

/etc/apache2/mods-enabled/modsecurity.conf
Include "/usr/share/modsecurity-crs/*.conf"
Include "/usr/share/modsecurity-crs/activated_rules/*.conf"

The activated_rules directory is similar to Apache's mods-enabled directory. The rules are available in directories: 

/usr/share/modsecurity-crs/base_rules
/usr/share/modsecurity-crs/optional_rules
/usr/share/modsecurity-crs/experimental_rules

Symlinks must be created inside the activated_rules directory to activate these. Let us activate the SQL injection rules. 

cd /usr/share/modsecurity-crs/activated_rules/
ln -s /usr/share/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf .

Apache has to be reloaded for the rules to take effect. 

service apache2 reload

Now open the login page we created earlier and try using the SQL injection query on the username field.

If you had changed the SecRuleEngine directive to On, you'll see a 403 Forbidden error.

If it was left to the DetectionOnly option, the injection will be successful but the attempt would be logged in the modsec_audit.log file.