The "ver" action (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ver) is only available in ModSecurity v2.7.x <. You need to upgrade.
Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Jamie Jackson <jamieja...@gmail.com<mailto:jamieja...@gmail.com>> Date: Wednesday, March 19, 2014 9:39 AM Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Syntax error on line 51 of /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf Thanks, Ramy. Now I'm past that, and onto the next syntax error: $ sudo service apache2 restart [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, skipping [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, skipping [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, skipping Syntax error on line 52 of /etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf: Error parsing actions: Unknown action: ver Action 'configtest' failed. The Apache error log may have more information. ...fail! Line 52 is the last of this block: SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\ "msg:'Invalid HTTP Request Line',\ severity:'4',\ id:'960911',\ ver:'OWASP_CRS/2.2.9',\ rev:'2',\ maturity:'9',\ accuracy:'9',\ logdata:'%{request_line}',\ phase:1,\ block,\ t:none,\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ tag:'CAPEC-272',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ setvar:'tx.%{rule.id<http://rule.id>}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" On Wed, Mar 19, 2014 at 9:31 AM, Ramy Darwish <jackbro.pluc...@gmail.com<mailto:jackbro.pluc...@gmail.com>> wrote: Woops, that's actually a new contribution by me. My bad. I guess a newbie like me needs more supervision on Pull requests =S The problem is actually on line 49, which specifies a "chain" where it should not. On line 49, replace: SecRule TX:1 ".*" "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" with: SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" Issuing a pull request right now. So sorry, everyone. Ramy Darwish On 19/03/2014 13:58, Jamie Jackson wrote: Hi Folks, [Server version: Apache/2.2.22 (Ubuntu)] I'm following along with this guide (http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server), and I got to the apache restart command just before section 5. However, I'm getting a rule error: $ sudo service apache2 restart [sudo] password for jamie: Syntax error on line 51 of /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf: ModSecurity: Disruptive actions can only be specified by chain starter rules. Action 'configtest' failed. The Apache error log may have more information. ...fail! The line referenced is the last line of the file (the second of the following): SecRule &SESSION:SESSIONID "@eq 1" "chain,phase:5,id:'981064',nolog,pass,t:none" SecRule REQUEST_HEADERS:User-Agent ".*" "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}" I have zero experience with ModSecurity yet, so I can't troubleshoot. Please help me get past this. Thanks, Jamie _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
