Skip to content
Browse files

Fix all the rules to have proper IDs for ModSecurity 2.7.0.

Some things were broken before, now they are all valid.
  • Loading branch information...
1 parent bf0a998 commit 294873c4f33e016c0fe51bcb3fb36549e41542cf @Flameeyes committed Oct 17, 2012
View
2 optional/flameeyes_init.conf
@@ -11,7 +11,7 @@
SecRuleEngine On
# Initialise the global collection of IP-based matches.
-SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
+SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr},id:430000"
SecDataDir /var/cache/modsecurity
View
4 rules/flameeyes_00_settings.conf
@@ -4,11 +4,11 @@
# Settings and prerequisites for the ruleset
# By default expire IP-bound data on a week basis.
-SecAction "phase:1,t:none,nolog,setvar:tx.ip_expiration=259200,pass,id:430000"
+SecAction "phase:1,t:none,nolog,setvar:tx.ip_expiration=259200,pass,id:430010"
# Since Amazon EC2 users will use dynamic IP addresses, there is no
# reason to cache tests for a whole week. Instead do hourly checks
# about them.
-SecRule REMOTE_HOST "@endsWith .amazonaws.com" "id:430001,setvar:tx.ip_expiration=3600,nolog"
+SecRule REMOTE_HOST "@endsWith .amazonaws.com" "id:430011,setvar:tx.ip_expiration=3600,nolog"
SecComponentSignature "Flameeyes's Ruleset for ModSecurity"
View
2 rules/flameeyes_05_proxy.conf
@@ -77,7 +77,7 @@ SecRule REMOTE_ADDR "@rbl all.s5h.net" \
# This requires SecHttpBlKey to be set!
SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org" \
- "id:430542,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
+ "id:430544,phase:2,setvar:ip.flameeyes_is_openproxy=1,expirevar:ip.flameeyes_is_openproxy=%{TX.IP_EXPIRATION},msg:'%{REMOTE_ADDR} is blacklisted',skipAfter:FLAMEEYES_PROXY_REQUEST"
SecMarker FLAMEEYES_PROXY_REQUEST
View
2 rules/flameeyes_60_fake_browsers.conf
@@ -140,7 +140,7 @@ SecRule &REQUEST_HEADERS:x-ps3-browser "@eq 0"
# at least. If the Accept header includes it, the request can't be
# coming from IE.
SecRule REQUEST_HEADERS:User-Agent "@pm msie" \
- "id:436086,chain,phase:2,msg:'Fake Internet Explorer browser accepting WebP images',deny,status:403"
+ "id:436087,chain,phase:2,msg:'Fake Internet Explorer browser accepting WebP images',deny,status:403"
SecRule REQUEST_HEADERS:Accept "@pm image/webp"
SecMarker FLAMEEYES_END_FAKE_BROWSERS_HEADERS

0 comments on commit 294873c

Please sign in to comment.
Something went wrong with that request. Please try again.