Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix all the rules to have proper IDs for ModSecurity 2.7.0.

Some things were broken before, now they are all valid.
  • Loading branch information...
commit 294873c4f33e016c0fe51bcb3fb36549e41542cf 1 parent bf0a998
@Flameeyes authored
View
2  optional/flameeyes_init.conf
@@ -11,7 +11,7 @@
SecRuleEngine On
# Initialise the global collection of IP-based matches.
-SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
+SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr},id:430000"
SecDataDir /var/cache/modsecurity
View
4 rules/flameeyes_00_settings.conf
@@ -4,11 +4,11 @@
# Settings and prerequisites for the ruleset
# By default expire IP-bound data on a week basis.
-SecAction "phase:1,t:none,nolog,setvar:tx.ip_expiration=259200,pass,id:430000"
+SecAction "phase:1,t:none,nolog,setvar:tx.ip_expiration=259200,pass,id:430010"
# Since Amazon EC2 users will use dynamic IP addresses, there is no
# reason to cache tests for a whole week. Instead do hourly checks
# about them.
-SecRule REMOTE_HOST "@endsWith .amazonaws.com" "id:430001,setvar:tx.ip_expiration=3600,nolog"
+SecRule REMOTE_HOST "@endsWith .amazonaws.com" "id:430011,setvar:tx.ip_expiration=3600,nolog"
SecComponentSignature "Flameeyes's Ruleset for ModSecurity"
View
2  rules/flameeyes_05_proxy.conf
@@ -77,7 +77,7 @@ SecRule REMOTE_ADDR "@rbl all.s5h.net" \
# This requires SecHttpBlKey to be set!
SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org" \
- "id:430542,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+ "id:430544,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
SecMarker FLAMEEYES_PROXY_REQUEST
View
2  rules/flameeyes_60_fake_browsers.conf
@@ -140,7 +140,7 @@ SecRule &REQUEST_HEADERS:x-ps3-browser "@eq 0"
# at least. If the Accept header includes it, the request can't be
# coming from IE.
SecRule REQUEST_HEADERS:User-Agent "@pm msie" \
- "id:436086,chain,phase:2,msg:'Fake Internet Explorer browser accepting WebP images',deny,status:403"
+ "id:436087,chain,phase:2,msg:'Fake Internet Explorer browser accepting WebP images',deny,status:403"
SecRule REQUEST_HEADERS:Accept "@pm image/webp"
SecMarker FLAMEEYES_END_FAKE_BROWSERS_HEADERS
Please sign in to comment.
Something went wrong with that request. Please try again.