Yes probably the best option if you can't upgrade. Ryan Barnett OWASP ModSecurity CRS Project Leader
> On Mar 19, 2014, at 1:12 PM, Jamie Jackson <jamieja...@gmail.com> wrote: > > [I neglected to Reply-All. I accidentally sent the following to just Ryan. > Oldest to newest:] > > Thanks, Ryan. > > I'll ask on the ModSecurity mailing list about a package-management-friendly > way to upgrade ModSecurity > > ----- > > Actually, Ryan, I just came across the 2.7 rule-removing script in your Git > repo: > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/rule-management/remove-2.7-actions.pl > > If it proves too much of a pain (I think it will) to upgrade the distro's > (Ubuntu 12.04 and CentOS 6.4) ModSecurity, is that removal script the next > best thing? > > ----- > > Unless I'm doing something wrong, the script doesn't seem to do anything: > > # perl /tmp/remove-2.7-actions.pl -t 2.6 -f /etc/modsecurity/optional_rules/ > -n -v > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf > Processing /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf > Processing /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf > Processing /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf > Processing /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf > Processing /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf > > I diffed a before and after copy of the directory, and they're the same. > > > > >> On Wed, Mar 19, 2014 at 10:01 AM, Ryan Barnett <rbarn...@trustwave.com> >> wrote: >> The "ver" action >> (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ver) is >> only available in ModSecurity v2.7.x <. You need to upgrade. >> >> Ryan Barnett >> Lead Security Researcher, SpiderLabs >> >> Trustwave | SMART SECURITY ON DEMAND >> www.trustwave.com >> >> From: Jamie Jackson <jamieja...@gmail.com> >> Date: Wednesday, March 19, 2014 9:39 AM >> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org" >> <owasp-modsecurity-core-rule-set@lists.owasp.org> >> Subject: Re: [Owasp-modsecurity-core-rule-set] Syntax error on line 51 of >> /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf >> >> Thanks, Ramy. >> >> Now I'm past that, and onto the next syntax error: >> >> $ sudo service apache2 restart >> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >> skipping >> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >> skipping >> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >> skipping >> Syntax error on line 52 of >> /etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf: >> Error parsing actions: Unknown action: ver >> Action 'configtest' failed. >> The Apache error log may have more information. >> ...fail! >> >> Line 52 is the last of this block: >> >> SecRule REQUEST_LINE >> "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect >> (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get >> /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\ >> "msg:'Invalid HTTP Request Line',\ >> severity:'4',\ >> id:'960911',\ >> ver:'OWASP_CRS/2.2.9',\ >> rev:'2',\ >> maturity:'9',\ >> accuracy:'9',\ >> logdata:'%{request_line}',\ >> phase:1,\ >> block,\ >> t:none,\ >> tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ >> tag:'CAPEC-272',\ >> setvar:'tx.msg=%{rule.msg}',\ >> setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ >> >> setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" >> >> >> >>> On Wed, Mar 19, 2014 at 9:31 AM, Ramy Darwish <jackbro.pluc...@gmail.com> >>> wrote: >>> Woops, that's actually a new contribution by me. My bad. >>> I guess a newbie like me needs more supervision on Pull requests =S >>> >>> The problem is actually on line 49, which specifies a "chain" where it >>> should not. >>> On line 49, replace: >>> >>> SecRule TX:1 ".*" >>> "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >>> >>> with: >>> >>> SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >>> >>> Issuing a pull request right now. >>> >>> So sorry, everyone. >>> >>> Ramy Darwish >>> >>> >>> >>> On 19/03/2014 13:58, Jamie Jackson wrote: >>>> Hi Folks, >>>> >>>> [Server version: Apache/2.2.22 (Ubuntu)] >>>> >>>> I'm following along with this guide >>>> (http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server), >>>> and I got to the apache restart command just before section 5. >>>> >>>> However, I'm getting a rule error: >>>> >>>> $ sudo service apache2 restart >>>> [sudo] password for jamie: >>>> Syntax error on line 51 of >>>> /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf: >>>> ModSecurity: Disruptive actions can only be specified by chain starter >>>> rules. >>>> Action 'configtest' failed. >>>> The Apache error log may have more information. >>>> ...fail! >>>> >>>> The line referenced is the last line of the file (the second of the >>>> following): >>>> >>>> SecRule &SESSION:SESSIONID "@eq 1" >>>> "chain,phase:5,id:'981064',nolog,pass,t:none" >>>> SecRule REQUEST_HEADERS:User-Agent ".*" >>>> "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}" >>>> >>>> I have zero experience with ModSecurity yet, so I can't troubleshoot. >>>> >>>> Please help me get past this. >>>> >>>> Thanks, >>>> Jamie >>>> >>>> >>>> _______________________________________________ >>>> Owasp-modsecurity-core-rule-set mailing list >>>> Owasp-modsecurity-core-rule-set@lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >> >> >> This transmission may contain information that is privileged, confidential, >> and/or exempt from disclosure under applicable law. If you are not the >> intended recipient, you are hereby notified that any disclosure, copying, >> distribution, or use of the information contained herein (including any >> reliance thereon) is strictly prohibited. If you received this transmission >> in error, please immediately contact the sender and destroy the material in >> its entirety, whether in electronic or hard copy format. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
