[I neglected to Reply-All. I accidentally sent the following to just Ryan. Oldest to newest:]
Thanks, Ryan. I'll ask on the ModSecurity mailing list about a package-management-friendly way to upgrade ModSecurity ----- Actually, Ryan, I just came across the 2.7 rule-removing script in your Git repo: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/rule-management/remove-2.7-actions.pl If it proves too much of a pain (I think it will) to upgrade the distro's (Ubuntu 12.04 and CentOS 6.4) ModSecurity, is that removal script the next best thing? ----- Unless I'm doing something wrong, the script doesn't seem to do anything: # perl /tmp/remove-2.7-actions.pl -t 2.6 -f /etc/modsecurity/optional_rules/ -n -v Processing /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf Processing /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf I diffed a before and after copy of the directory, and they're the same. On Wed, Mar 19, 2014 at 10:01 AM, Ryan Barnett <rbarn...@trustwave.com>wrote: > The "ver" action ( > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ver) is > only available in ModSecurity v2.7.x <. You need to upgrade. > > *Ryan Barnett* > > Lead Security Researcher, SpiderLabs > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > From: Jamie Jackson <jamieja...@gmail.com> > Date: Wednesday, March 19, 2014 9:39 AM > Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org" < > owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: Re: [Owasp-modsecurity-core-rule-set] Syntax error on line 51 of > /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf > > Thanks, Ramy. > > Now I'm past that, and onto the next syntax error: > > $ sudo service apache2 restart > [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, > skipping > [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, > skipping > [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, > skipping > Syntax error on line 52 of > /etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf: > Error parsing actions: Unknown action: ver > Action 'configtest' failed. > The Apache error log may have more information. > ...fail! > > Line 52 is the last of this block: > > SecRule REQUEST_LINE > "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect > (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get > /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\ > "msg:'Invalid HTTP Request Line',\ > severity:'4',\ > id:'960911',\ > ver:'OWASP_CRS/2.2.9',\ > rev:'2',\ > maturity:'9',\ > accuracy:'9',\ > logdata:'%{request_line}',\ > phase:1,\ > block,\ > t:none,\ > tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ > tag:'CAPEC-272',\ > setvar:'tx.msg=%{rule.msg}',\ > setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ > setvar:'tx.%{rule.id > }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" > > > > On Wed, Mar 19, 2014 at 9:31 AM, Ramy Darwish > <jackbro.pluc...@gmail.com>wrote: > >> Woops, that's actually a new contribution by me. My bad. >> I guess a newbie like me needs more supervision on Pull requests =S >> >> The problem is actually on line 49, which specifies a "chain" where it >> should not. >> On line 49, replace: >> >> SecRule TX:1 ".*" >> "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >> >> with: >> >> SecRule TX:1 ".*" >> "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >> >> Issuing a pull request right now. >> >> So sorry, everyone. >> >> Ramy Darwish >> >> >> >> On 19/03/2014 13:58, Jamie Jackson wrote: >> >> Hi Folks, >> >> [Server version: Apache/2.2.22 (Ubuntu)] >> >> I'm following along with this guide ( >> http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server), >> and I got to the apache restart command just before section 5. >> >> However, I'm getting a rule error: >> >> $ sudo service apache2 restart >> [sudo] password for jamie: >> Syntax error on line 51 of >> /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf: >> ModSecurity: Disruptive actions can only be specified by chain starter >> rules. >> Action 'configtest' failed. >> The Apache error log may have more information. >> ...fail! >> >> The line referenced is the last line of the file (the second of the >> following): >> >> SecRule &SESSION:SESSIONID "@eq 1" >> "chain,phase:5,id:'981064',nolog,pass,t:none" >> SecRule REQUEST_HEADERS:User-Agent ".*" >> "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}" >> >> I have zero experience with ModSecurity yet, so I can't troubleshoot. >> >> Please help me get past this. >> >> Thanks, >> Jamie >> >> >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing >> listOwasp-modsecurity-core-rule-set@lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >> >> > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
