Never mind, so far so good, actually. I'm still learning my way around. I needed to run that script on the base_rules directory (which does undergo some changes from the script). After that, Apache starts.
Sorry about that. Jamie On Wed, Mar 19, 2014 at 2:05 PM, Jamie Jackson <jamieja...@gmail.com> wrote: > Hi Ryan, I think our emails crossed. I tried the script, but it didn't > seem to modify any files. > > Did I make a mistake as far as my usage? > > Thanks, > Jamie > > > On Wed, Mar 19, 2014 at 1:22 PM, Ryan Barnett <ryan.barn...@owasp.org>wrote: > >> Yes probably the best option if you can't upgrade. >> >> *Ryan Barnett* >> >> OWASP ModSecurity CRS Project Leader >> >> On Mar 19, 2014, at 1:12 PM, Jamie Jackson <jamieja...@gmail.com> wrote: >> >> [I neglected to Reply-All. I accidentally sent the following to just >> Ryan. Oldest to newest:] >> >> Thanks, Ryan. >> >> I'll ask on the ModSecurity mailing list about a >> package-management-friendly way to upgrade ModSecurity >> >> ----- >> >> Actually, Ryan, I just came across the 2.7 rule-removing script in your >> Git repo: >> https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/rule-management/remove-2.7-actions.pl >> >> If it proves too much of a pain (I think it will) to upgrade the distro's >> (Ubuntu 12.04 and CentOS 6.4) ModSecurity, is that removal script the next >> best thing? >> >> ----- >> >> Unless I'm doing something wrong, the script doesn't seem to do anything: >> >> # perl /tmp/remove-2.7-actions.pl -t 2.6 -f >> /etc/modsecurity/optional_rules/ -n -v >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf >> Processing >> /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf >> >> I diffed a before and after copy of the directory, and they're the same. >> >> >> >> >> On Wed, Mar 19, 2014 at 10:01 AM, Ryan Barnett <rbarn...@trustwave.com>wrote: >> >>> The "ver" action ( >>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ver) is >>> only available in ModSecurity v2.7.x <. You need to upgrade. >>> >>> *Ryan Barnett* >>> >>> Lead Security Researcher, SpiderLabs >>> >>> >>> >>> *Trustwave* | SMART SECURITY ON DEMAND >>> >>> www.trustwave.com >>> >>> >>> From: Jamie Jackson <jamieja...@gmail.com> >>> Date: Wednesday, March 19, 2014 9:39 AM >>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org" < >>> owasp-modsecurity-core-rule-set@lists.owasp.org> >>> Subject: Re: [Owasp-modsecurity-core-rule-set] Syntax error on line 51 >>> of >>> /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf >>> >>> Thanks, Ramy. >>> >>> Now I'm past that, and onto the next syntax error: >>> >>> $ sudo service apache2 restart >>> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >>> skipping >>> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >>> skipping >>> [Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded, >>> skipping >>> Syntax error on line 52 of >>> /etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf: >>> Error parsing actions: Unknown action: ver >>> Action 'configtest' failed. >>> The Apache error log may have more information. >>> ...fail! >>> >>> Line 52 is the last of this block: >>> >>> SecRule REQUEST_LINE >>> "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect >>> (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get >>> /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\ >>> "msg:'Invalid HTTP Request Line',\ >>> severity:'4',\ >>> id:'960911',\ >>> ver:'OWASP_CRS/2.2.9',\ >>> rev:'2',\ >>> maturity:'9',\ >>> accuracy:'9',\ >>> logdata:'%{request_line}',\ >>> phase:1,\ >>> block,\ >>> t:none,\ >>> tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ >>> tag:'CAPEC-272',\ >>> setvar:'tx.msg=%{rule.msg}',\ >>> setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ >>> setvar:'tx.%{rule.id >>> }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" >>> >>> >>> >>> On Wed, Mar 19, 2014 at 9:31 AM, Ramy Darwish <jackbro.pluc...@gmail.com >>> > wrote: >>> >>>> Woops, that's actually a new contribution by me. My bad. >>>> I guess a newbie like me needs more supervision on Pull requests =S >>>> >>>> The problem is actually on line 49, which specifies a "chain" where it >>>> should not. >>>> On line 49, replace: >>>> >>>> SecRule TX:1 ".*" >>>> "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >>>> >>>> with: >>>> >>>> SecRule TX:1 ".*" >>>> "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" >>>> >>>> Issuing a pull request right now. >>>> >>>> So sorry, everyone. >>>> >>>> Ramy Darwish >>>> >>>> >>>> >>>> On 19/03/2014 13:58, Jamie Jackson wrote: >>>> >>>> Hi Folks, >>>> >>>> [Server version: Apache/2.2.22 (Ubuntu)] >>>> >>>> I'm following along with this guide ( >>>> http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server), >>>> and I got to the apache restart command just before section 5. >>>> >>>> However, I'm getting a rule error: >>>> >>>> $ sudo service apache2 restart >>>> [sudo] password for jamie: >>>> Syntax error on line 51 of >>>> /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf: >>>> ModSecurity: Disruptive actions can only be specified by chain starter >>>> rules. >>>> Action 'configtest' failed. >>>> The Apache error log may have more information. >>>> ...fail! >>>> >>>> The line referenced is the last line of the file (the second of the >>>> following): >>>> >>>> SecRule &SESSION:SESSIONID "@eq 1" >>>> "chain,phase:5,id:'981064',nolog,pass,t:none" >>>> SecRule REQUEST_HEADERS:User-Agent ".*" >>>> "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}" >>>> >>>> I have zero experience with ModSecurity yet, so I can't troubleshoot. >>>> >>>> Please help me get past this. >>>> >>>> Thanks, >>>> Jamie >>>> >>>> >>>> _______________________________________________ >>>> Owasp-modsecurity-core-rule-set mailing >>>> listOwasp-modsecurity-core-rule-set@lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>>> >>>> >>>> >>> >>> ------------------------------ >>> >>> This transmission may contain information that is privileged, >>> confidential, and/or exempt from disclosure under applicable law. If you >>> are not the intended recipient, you are hereby notified that any >>> disclosure, copying, distribution, or use of the information contained >>> herein (including any reliance thereon) is strictly prohibited. If you >>> received this transmission in error, please immediately contact the sender >>> and destroy the material in its entirety, whether in electronic or hard >>> copy format. >>> >> >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >> >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
