ModSecurity Question

ok i read a lot here in the forums about Modsecurity2 and better to use it. I already installed it and it is running with the Core Rule Set in detection mode. 2 questions about this module:

1) Is it really really neccessary to use this module? Are there any facts or is it just a better than none scenario?

2) Does anybody have dolphin 7.0.9 running with modsecurity without any false positives? if so is it possible to share these rules because my log is full of modsec warnings coming from dolphin itself. Thats really too much work for me right now. So i hope somebody can share a working 7.0.9 ruleset.

I don't think there are many people here using it other than myself and a few people I installed it for. To answer your questions:

1. Is it neccessary? No... Is it smart to use it? YES. If you look at your logs there are people trying 24/7 to log into your SSH, FTP, Email, Cpanel and WHM. Not to mention the people trying to plant root kits and shells on your server. Modsec will block all that and then some. You can also use it to cut out all the spammers.

2. I've had several sites running with Dolphin 7.0.7 and using the default modsec2 ruleset for a long time now. The only problem I've had is with one rule:

Rule ID: 950004

It's one of the xss rules and it blocks any time someone tries to use one of the smilies in Dolphin. You can just comment it out in the modsec config with #. You should also whitelist your administration directory because you don't want to be blocked yourself.

Hi mscott,

i really want to run it, but using the CRS just gives me so many warnings in detection mode, i already think about not to use it. So you have no such errors in your logs?

My logs are full of people being blocked but it's all people trying to do things they shouldn't be doing. No real users using the site are ever blocked.

Thats strange because if i visit my website and just click around with my mouse, modsecurity already starts shouting about "critical" severities -> SQL Injection and so on. Maybe we use different rule sets?

This really is odd. I originally installed 2.5 and started with that default rule set and then I upgraded to 2.6 but still have the same set. The only one I removed was the one I mentioned that was blocking people from posting smilies.

From where do you use the CRS and which version it is?