Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: Wuensch-AG-Adm on March 26, 2026, 07:41:02 AM

Title: BUSINESS Version 25.10 os-OPNWAF: Our professional apps require detailed rules
Post by: Wuensch-AG-Adm on March 26, 2026, 07:41:02 AM
Dear OPNSense community,


We have a scenario where we need to update the rules for one of our in-house developed professional apps, but without a direct exception like the one available for the user interface in ModSecurity. We need something like the ability to use a whitelist file. Something like this: 
SecRule ARGS:mainForm:sometabview:mycompany "@pmFromFile /usr/local/etc/apache24/Includes/modsecurity_wl.txt" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveById=932250"
2nd example (with the text of the whitelist): SecRule ARGS:mainForm:sometabview:mycompany "@contains SH GmbH" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveById=932250"

This is really important for our application, as we sometimes conduct EPA/PEN-TEST audits.
Rule 932250 serves its purpose very precisely and blocks a company's input. However, it would be nonsensical to disable rule 932250, as it is truly important for security...[ Unix direct remote command execution ]

Could you give us some guidance on what we can adjust and how we can set this up permanently, or how the appliance can maintain this for as long as possible?
Thank you in advance.

Regards,
Joel.
Title: Re: BUSINESS Version 25.10 os-OPNWAF: Our professional apps require detailed rules
Post by: Monviech (Cedrik) on March 26, 2026, 10:22:44 AM
Your custom rules execute in phase1, meaning these definitions need to go before any other definitions in the ruleset.

Currently there is an import option from:

IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf

Yet these most likely match after the other inclusions.

There is no freely available import path before that, but you can add one yourself in:
/usr/local/opnsense/service/templates/OPNsense/Apache/httpd.conf

By changing the template it will be resistant against service restarts, but not updates.

Please open a github ticket if you require a permanent import path for your custom rules.


Please note that we will also generate rule exclusions differently soon in an upcoming OPNWAF version, and use IDs that might overlap with your custom rule IDs (we start from 100001), be careful.

https://github.com/opnsense/plugins/issues/5350
Title: Re: BUSINESS Version 25.10 os-OPNWAF: Our professional apps require detailed rules
Post by: Wuensch-AG-Adm on March 26, 2026, 11:54:42 AM
I've tried something like that. Create a folder afolder
edit /usr/local/opnsense/service/templates/OPNsense/Apache/httpd.conf

add Include etc/apache24/afolder/*.conf
in
Include etc/apache24/modsecurity.conf
IncludeOptional etc/apache24/modsecurity-crs/crs-setup.conf
Include etc/apache24/afolder/*.conf
IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf

Copy the conf file in the afolder
and tried with @pmFromFile or @contains
restart the apache service.
I've checked that in /usr/local/etc/apache24/httpd.conf is modified too.

It doesn't work after the restart of the apache24
I don't know what I'm doing wrong here.

I keep having something like that in the logs:
[security2:error] [pid xxxxxx:tid xxxxxxxx] [client X.X.X.X:49438] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)(?:^|b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0- ..." at ARGS:mainForm:sometabview:mycompany. [file "/usr/local/etc/apache24/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "514"] [id "932250"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: SH GmbH (8532) found within ARGS:mainForm:sometabview:mycompany: SH GmbH (8532)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.18.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-RCE"] [tag "capec/1000/152/248/88"] [hostname "xxxxxxx.xxx"] [uri "/xxxx/xxxxx/xxxxxx.xhtml"] [unique_id "xxxxxxxxxxxxxxxxxxxxxxx"], referer https://xxxxxxx.xxx/xxxx/xxxxx/xxxxxx.xhtml
Title: Re: BUSINESS Version 25.10 os-OPNWAF: Our professional apps require detailed rules
Post by: Monviech (Cedrik) on March 26, 2026, 12:00:42 PM
You have to include it before any other import with the same include optional statement.

e.g.

Include etc/apache24/modsecurity.conf
IncludeOptional etc/apache24/afolder/*.conf
IncludeOptional etc/apache24/modsecurity-crs/crs-exclusions.conf <--- this one is new in the upcoming version, just as heads up
IncludeOptional etc/apache24/modsecurity-crs/crs-setup.conf
IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf


I wrote that Phase1 matching rules have to be before any other ruleset inclusion.
Text only | Text with Images