Hi Ryan, I think our emails crossed. I tried the script, but it didn't seem to modify any files.
Did I make a mistake as far as my usage? Thanks, Jamie On Wed, Mar 19, 2014 at 1:22 PM, Ryan Barnett <ryan.barn...@owasp.org>wrote: > Yes probably the best option if you can't upgrade. > > *Ryan Barnett* > > OWASP ModSecurity CRS Project Leader > > On Mar 19, 2014, at 1:12 PM, Jamie Jackson <jamieja...@gmail.com> wrote: > > [I neglected to Reply-All. I accidentally sent the following to just Ryan. > Oldest to newest:] > > Thanks, Ryan. > > I'll ask on the ModSecurity mailing list about a > package-management-friendly way to upgrade ModSecurity > > ----- > > Actually, Ryan, I just came across the 2.7 rule-removing script in your > Git repo: > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/rule-management/remove-2.7-actions.pl > > If it proves too much of a pain (I think it will) to upgrade the distro's > (Ubuntu 12.04 and CentOS 6.4) ModSecurity, is that removal script the next > best thing? > > ----- > > Unless I'm doing something wrong, the script doesn't seem to do anything: > > # perl /tmp/remove-2.7-actions.pl -t 2.6 -f > /etc/modsecurity/optional_rules/ -n -v > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf > Processing /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf > Processing > /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf > > I diffed a before and after copy of the directory, and they're the same. > > > > > On Wed, Mar 19, 2014 at 10:01 AM, Ryan Barnett <rbarn...@trustwave.com>wrote: > >> The "ver" action ( >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ver) is >> only available in ModSecurity v2.7.x <. You need to upgrade. >> >> *Ryan Barnett* >> >> Lead Security Researcher, SpiderLabs >> >> >> >> *Trustwave* | SMART SECURITY ON DEMAND >> >> www.trustwave.com >> >> >> From: Jamie Jackson <jamieja...@gmail.com> >> Date: Wednesday, March 19, 2014 9:39 AM >> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org" < >> owasp-modsecurity-core-rule-set@lists.owasp.org> >> Subject: Re: [Owasp-modsecurity-core-rule-set] Syntax error on line 51 >> of >> /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf >> >> Thanks, Ramy. >> >> Now I'm past that, and onto the next syntax error: >> >> $ sudo service apache2 restart >> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >> skipping >> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >> skipping >> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >> skipping >> Syntax error on line 52 of >> /etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf: >> Error parsing actions: Unknown action: ver >> Action 'configtest' failed. >> The Apache error log may have more information. >> ...fail! >> >> Line 52 is the last of this block: >> >> SecRule REQUEST_LINE >> "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect >> (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get >> /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\ >> "msg:'Invalid HTTP Request Line',\ >> severity:'4',\ >> id:'960911',\ >> ver:'OWASP_CRS/2.2.9',\ >> rev:'2',\ >> maturity:'9',\ >> accuracy:'9',\ >> logdata:'%{request_line}',\ >> phase:1,\ >> block,\ >> t:none,\ >> tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ >> tag:'CAPEC-272',\ >> setvar:'tx.msg=%{rule.msg}',\ >> setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ >> setvar:'tx.%{rule.id >> }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" >> >> >> >> On Wed, Mar 19, 2014 at 9:31 AM, Ramy Darwish >> <jackbro.pluc...@gmail.com>wrote: >> >>> Woops, that's actually a new contribution by me. My bad. >>> I guess a newbie like me needs more supervision on Pull requests =S >>> >>> The problem is actually on line 49, which specifies a "chain" where it >>> should not. >>> On line 49, replace: >>> >>> SecRule TX:1 ".*" >>> "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >>> >>> with: >>> >>> SecRule TX:1 ".*" >>> "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >>> >>> Issuing a pull request right now. >>> >>> So sorry, everyone. >>> >>> Ramy Darwish >>> >>> >>> >>> On 19/03/2014 13:58, Jamie Jackson wrote: >>> >>> Hi Folks, >>> >>> [Server version: Apache/2.2.22 (Ubuntu)] >>> >>> I'm following along with this guide ( >>> http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server), >>> and I got to the apache restart command just before section 5. >>> >>> However, I'm getting a rule error: >>> >>> $ sudo service apache2 restart >>> [sudo] password for jamie: >>> Syntax error on line 51 of >>> /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf: >>> ModSecurity: Disruptive actions can only be specified by chain starter >>> rules. >>> Action 'configtest' failed. >>> The Apache error log may have more information. >>> ...fail! >>> >>> The line referenced is the last line of the file (the second of the >>> following): >>> >>> SecRule &SESSION:SESSIONID "@eq 1" >>> "chain,phase:5,id:'981064',nolog,pass,t:none" >>> SecRule REQUEST_HEADERS:User-Agent ".*" >>> "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}" >>> >>> I have zero experience with ModSecurity yet, so I can't troubleshoot. >>> >>> Please help me get past this. >>> >>> Thanks, >>> Jamie >>> >>> >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing >>> listOwasp-modsecurity-core-rule-set@lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>> >>> >>> >> >> ------------------------------ >> >> This transmission may contain information that is privileged, >> confidential, and/or exempt from disclosure under applicable law. If you >> are not the intended recipient, you are hereby notified that any >> disclosure, copying, distribution, or use of the information contained >> herein (including any reliance thereon) is strictly prohibited. If you >> received this transmission in error, please immediately contact the sender >> and destroy the material in its entirety, whether in electronic or hard >> copy format. >> > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
