PuntaPirata
Useful Tweaks for ModSec

Add your own blacklisted domains to your core rules:

Posted by Sergio Cabrera at 7:45 | Sunday, March 21. 2010

 
There are two files that ModSec rules uses to check if an IP is trying to use a black listed domain into any of your server apps like forms, forum or blog posts or domains used to inject code into any of your sites.
 
The files are MALWARE-BLACLIST.TXT and DOMAIN-BLACKLIST.TXT. You can add your own domains in these two files but if you do it manually chances are that you will have to rewrite the domains each time you update your rules.
 
So, using my UPDATERULES.SH, you can do this task automatically every time you update your rules.
 
Do the following:
  1. Create a directory in your server where you will save MODSEC rules backups, this directory will be used instead of the directory "/tmp" .
  2. Modify UPDATERULES.SH and search for the following lines:

    # MODIFY THE FOLLOWING LINE WITH YOUR OWN DIRECTORY.
    # DO NOT INCLUDE A TRAILING SLASH.
    WORKNDIR="/tmp"


    Replace the /tmp with your own directory path.

  3. In your working directory, create a file called "puntapirata-badomains.txt".
  4. Write in that file all the domains that you want to black list in your server, if you want to collect domains, look at the tab "MODSEC TAILOR MADE", to have an idea on how you can collect this info.
  5. Now that you have saved the domains, once again modify UPDATERULES.SH and look for the following lines:

    ##########
    # ADD YOUR OWN BLACKLISTED DOMAINS INTO THE RULES
    ##########
    # dos2unix $WORKNDIR/puntapirata-badomain.txt
    # cat $WORKNDIR/puntapirata-badomain.txt malware-blacklist.txt > malware
    # cat $WORKNDIR/
    puntapirata-badomain.txt domain-blacklist.txt > domain
    # sort -u malware > malware-blacklist.txt
    # sort -u domain > domain-blacklist.txt
    ##########


    and change them to the following:

    ##########
    # ADD YOUR OWN BLACKLISTED DOMAINS INTO THE RULES
    ##########
    dos2unix $WORKNDIR/puntapirata-badomain.txt
    cat $WORKNDIR/puntapirata-badomain.txt malware-blacklist.txt > malware
    cat $WORKNDIR/
    puntapirata-badomain.txt domain-blacklist.txt > domain
    sort -u malware > malware-blacklist.txt
    sort -u domain > domain-blacklist.txt
    ##########


  6. That's it, save your modified UPDATERULES.SH and wait for the next modsec rules update.

You can download a PUNTAPIRATA-BADOMAIN.TXT clicking here.
This file contains more than 6,533 bad domains (updated on Jul-19-2010)
(you have to unzip the file prior to use it).
 
We no longer update this file (May, 10th, 2012)

This addon was created on March, 21, 2010.

Last Revised: May, 10th, 2012
 
All Rights Reserved 2012
PuntaPirata.com
Guatemala, the country of the Ethernal Spring