Mod-security changes after upgrade to 21.2.8
search cancel

Mod-security changes after upgrade to 21.2.8

book

Article ID: 237026

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

After the upgrade to 21.2.8 mod-security is not working properly and normal login to OC Web page fails in HTTP error 403 

 

Moreover the modsecurity_crs_10_setup.conf file is no longer present but there is the crs-setup.conf instead.

Why? What to do? 

 

 

 

 

  

 

Environment

Release : 21.2.8

Component :

Resolution

For the 403 error, be sure to update the conf files with the earlier changes

 
Compare $SPECROOT\apache\conf.old with the conf folder after upgrading and update conf files of "conf" and "conf/extra" folders.
 
Regarding the modsecurity_crs_10_setup.conf file no longer present, In Spectrum 21.2.8 modsecurity uses  crs-setup.conf instead of  modsecurity_crs_10_setup.conf  because the 21.2.8 is shipped with owasp-modsecurity-crs v3.3.2

see Third-Party Software License Acknowledgements

Now, from https://coreruleset.org/installation/ you can read 
 

Upgrading from CRS 2.x to CRS 3

In general, you can update by unzipping our new release over your older one, and updating the crs-setup.conf file with any new settings.  However, CRS 3.0 is a major rewrite, incompatible with CRS 2.x. Key setup variables have changed their name, and new features have been introduced. Your former modsecurity_crs_10_setup.conf file is thus no longer usable. We recommend you to start with a fresh crs-setup.conf file from scratch.

Most rule IDs have been changed to reorganize them into logical sections. This means that if you have written custom configuration with exclusion rules (e.g. SecRuleRemoveByIdSecRuleRemoveTargetByIdctl:ruleRemoveById or ctl:ruleRemoveTargetById) you must renumber the rule numbers in that configuration. You can do this using the supplied utility util/id_renumbering/update.py or find the changes in util/id_renumbering/IdNumbering.csv.

However, a key feature of the CRS 3 is the reduction of false positives in the default installation, and many of your old exclusion rules may no longer be necessary. Therefore, it is a good option to start fresh without your old exclusion rules.

If you are experienced in writing exclusion rules for CRS 2.x, it may be worthwhile to try running CRS 3 in Paranoia Level 2 (PL2). This is a stricter mode, which blocks additional attack patterns, but brings a higher number of false positives — in many situations the false positives will be comparable with CRS 2.x. This paranoia level however will bring you a higher protection level than CRS 2.x or a CRS 3 default install, so it can be worth the investment.

Spectrum modsecurity_crs_10_setup.conf was having rule id 900001 to 900021, these ids are removed in v3.3.2, and uncommented the rules (having new rule ids) which were part of modsecurity_crs_10_setup.conf.

If a customer needs specific rules then those can be added in crs-setup.conf (But we can not directly take rules from modsecurity_crs_10_setup.conf as those rule ids are not valid for the new version).