There's your problem – rev:'2.0.5' - that is really old. Current ver is 2.2.7. Use the rules from GitHub. Download with this link -
https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master -Ryan From: Emmanuel Darko <eda...@promnetwork.com<mailto:eda...@promnetwork.com>> Date: Thursday, February 28, 2013 2:14 PM To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: RE: [Owasp-modsecurity-core-rule-set] Problem starting Apache due to Modsecurity. Need Help Ours looks like; SecMarker BEGIN_ACCEPT_CHECK SecRule &REQUEST_HEADERS:Accept "@eq 0" \ "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'" SecRule REQUEST_METHOD "!^OPTIONS$" "skipAfter:END_ACCEPT_CHECK,t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:Accept "^$" \ "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Request Has an Empty Accept Header', severity:'2',id:'960021',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'" SecRule REQUEST_METHOD "!^OPTIONS$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecMarker END_ACCEPT_CHECK -Emmanuel From: Ryan Barnett [mailto:rbarn...@trustwave.com] Sent: Thursday, February 28, 2013 2:02 PM To: Emmanuel Darko; owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] Problem starting Apache due to Modsecurity. Need Help From: Emmanuel Darko <eda...@promnetwork.com<mailto:eda...@promnetwork.com>> Date: Thursday, February 28, 2013 10:44 AM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Problem starting Apache due to Modsecurity. Need Help We use Apache RHEL 5 and we administered a patch at the a couple of days ago and Apache would not start due to error shown below; Syntax error on line 47 of /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf: ModSecurity: SkipAfter actions can only be specified by chain starter rules Any help with this as Google has not helped much. Emmanuel See line 47 here - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_21_protocol_anomalies.conf What does yours look like? -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
