If you need to customize a rule do not change the asl*conf files. These files will be overwritten by updates.
The use of "asl" in the filename is also reserved. Do not name custom file with "asl" in the filename, for example, 99_asl_custom.conf. This file may be overwritten or deleted by the rule management system. Do not create custom rules with "asl" in the filename.
If you need to change a rule because it is incorrectly blocking something we recommend you report it to use as a False Postive, using the Reporting_False_Positives procedure. If you simply want to modify a rule to perform different actions, then copy the entire rule into your own rule file, and make sure you tell mod_security not to enable the original ASL rule. You can do that by using the mod_security action SecRuleRemoveById. Here is a simple example:
If you had an original rule like this:
SecRule REQUEST_URI "/foo" "t:normalisePath,id:9000,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Block /foo'"
And you want it to block "bar" instead of "foo", then you would copy the entire rule into your own custom rule file. If you are using our rules we recommend you use the filename 99_zzz_custom.conf and change the id: field to an unused ID. You will need to configure Apache to load this file. You should load this file after the *asl*conf rule files have been loaded.
SecRuleRemoveById 9000000 SecRule REQUEST_URI "/bar" "t:normalisePath,id:9999,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Block /foo'"
Note: You must change id: to a number that you have not used for any other custom rules. Customer generated rules should use the range 1-99999. Numbers about 99999 are reserved and will cause conflicts and are not supported.
These are the reserved ranges:
* 1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others. * 100,000-199,999; reserved for internal use of the engine, to assign to rules that do not have explicit IDs. * 200,000-299,999; reserved for rules published at modsecurity.org. * 300,000-399,999; reserved for rules published at gotroot.com. * 400,000-419,999; unused (available for reservation). * 420,000-429,999; reserved for ScallyWhack. * 430,000-699,999; unused (available for reservation). * 700,000-799,999; reserved for Ivan Ristic. * 900,000-999,999; reserved for the Core Rules project. * 1,000,000 and above; unused (available for reservation).
For a domain
If you just want to customize the rule, or add a supported configuration setting for a domain you will want to add your modifications within the VirtualHost definition for the domain.
If you have a web application that uses the uncommon ";" argument separator, as opposed to the widely used "&" you will want to change SecArgumentSeparator value for that application. You can do this in one of two ways:
If all your applications use the older delimiter, just change the SecArgumentSeparator in the tortix_waf.conf file. Do not change this if your applications use other delimiters.
2) Per Application
You can also configure this per application. For example, if your web applications URL is /foo/bar.php you can create a customer rule like this:
<LocationMatch /foo/bar.php> SecArgumentSeparator ";" </LocationMatch>
This will only work if modsecurity is loaded before your virtual host definitions. This is the case with most control panels, but some control panels are known to load modsecurity after vhosts are defined. In which case this will fail because Apache will not know how to process this directive (it will need modsecurity loaded to understand what this means). If you get a syntax error, that means your apache configuration is loaded modsecurity after your vhosts are defined. You will need to change your apache configuration to ensure this loading occurs before vhosts are defined.
ASL will automatically configure modsecurity to load first.