Hey Ryan, thanks for the quick response.
> A couple questions -
>
> 1) Did you modify the path to Lua in the script to point to your local
> version?
> 2) Did you install the additional bitop Lua module?
> http://bitop.luajit.org/
> It is specified at the top of the script in a require statement.
> This
> is needed for the Octal to Decimal conversions.
I was missing Bitop, I've installed it from source, changed the install
path for Debian, and I believe it's working as we can run the included
bitbench.lua with no errors. The Lua problem still exists.
> 3) What was the request that triggered this error?
It triggers on any request, the one I've been using the most is
accessing the page via IP instead of hostname, here's a breakdown of all
the information regarding the request:
----------------------
Alert Messages:
The following messages have been raised for this event:
Severity
Rule ID
Message
UNKNOWN
Lua: Script execution
failed: attempt to call
a nil value
Rule-Message:
UNKNOWN
Rule processing failed.
Rule-Message:
Rules Section
The following rules have been fired for this event:
SecAction phase:1 t:none nolog pass setvar:tx.anomaly_score_blocking=on
SecAction phase:1 t:none nolog pass setvar:tx.critical_anomaly_score=5
setvar:tx.error_anomaly_score=4 setvar:tx.warning_anomaly_score=3
setvar:tx.notice_anomaly_score=2
SecAction phase:1 t:none nolog pass
setvar:tx.inbound_anomaly_score_level=5
SecAction phase:1 t:none nolog pass
setvar:tx.outbound_anomaly_score_level=4
SecAction phase:1 t:none nolog pass setvar:tx.paranoid_mode=0
SecAction phase:1 t:none nolog pass setvar:tx.max_num_args=255
SecAction phase:1 t:none nolog pass setvar:'tx.allowed_methods=GET HEAD
POST OPTIONS'
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded
multipart/form-data text/xml application/xml application/x-amf'
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1'
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/
.cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/
.dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/
.log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/
.sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'
setvar:'tx.restricted_headers=/Lock-Token/ /Content-Range/ /Translate/ /via/
/if/'
SecRule REQUEST_HEADERS:User-Agent @rx ^(.*)$ phase:1 t:none pass nolog
t:sha1 t:hexEncode setvar:tx.ua_hash=%{matched_var}
SecAction phase:1 t:none pass nolog initcol:global=global initcol:ip=
%{remote_addr}_%{tx.ua_hash}
SecAction phase:4 t:none nolog skipAfter:END_KNOWN_CC_OUTBOUND_CHECK\
Request
GET / HTTP/1.1
Host:
172.16.100.191
Connection:
keep-alive
Accept:
application/xml,application/xhtml
+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent:
Mozilla/5.0 (X11; U; Linux x86_64;
en-US) AppleWebKit/534.10 (KHTML,
like Gecko) Chrome/8.0.552.200
Safari/534.10
Accept-Encoding:
gzip,deflate,sdch
Accept-Language:
en-US,en;q=0.8
Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3
----------------------
> You can still run it in this manner but since it will NOT be
> normalizing
> data in the same way as PHPIDS, there will be a higher % of false
> positives/false negatives.
> We did put this in the experimental directory after all ;)
True enough!
> Seriously, we
> need more people to field test this new, advanced functionality. I
> applaud you for jumping in! Don't give up on it, hopefully we can get
> it
> working for you.
>
> -Ryan
Glad we can help out, we will keep on it until it's resolved.
-Chris
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
