Felipe, Thank you for the quick response. Glad this is fixed.
A glitch in my lab setup made me believe a new apache showed the same behaviour. But that was a false alarm. Thank you for pointing this out. Cheers, Christian On Tue, May 31, 2016 at 12:34:32AM +0000, Felipe Costa wrote: > Hi Christian, > > It seems to me that this problem is associated with an known Apache issue. > It is related to the utilization of the continuation lines “\\” . > > For further details: https://bz.apache.org/bugzilla/show_bug.cgi?id=55910 > > I made the comment #4 back on 2014: > https://bz.apache.org/bugzilla/show_bug.cgi?id=55910#c4 > > I think it is fixed on Apache 2.4.11+. > > Br., > Felipe “Zimmerle” Costa > Security Researcher, Lead Developer ModSecurity. > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > > > > > > > > > On 5/30/16, 5:34 PM, "Christian Folini" <christian.fol...@netnea.com> wrote: > > >David, > > > >Thanks for writing in. I am X-posting this to modsec-dev as well. > > > >Yours is a very strange problem indeed. I am running the 3.0rc1 > >ruleset in production and have been running dozens of tests without > >any issue. > > > >Here is the minimal configuration, which triggered the bug in my > >environment (Ubunt 14.04, apache 2.4.7, modsec 2.9.1) > > > >ServerName localhost > >ServerAdmin root@localhost > >ServerRoot /opt/apache-2.4.18 > >User www-data > >Group www-data > >PidFile logs/httpd.pid > > > >ServerTokens Prod > >UseCanonicalName On > >TraceEnable Off > > > >Timeout 300 > >MaxClients 100 > > > >KeepAlive On > >KeepAliveTimeout 100ms > > > >Listen 127.0.0.1:80 > > > >LoadModule mpm_prefork_module modules/mod_mpm_prefork.so > >LoadModule unixd_module modules/mod_unixd.so > >LoadModule authz_host_module modules/mod_authz_host.so > >LoadModule log_config_module modules/mod_log_config.so > >LoadModule logio_module modules/mod_logio.so > > > >LoadModule headers_module modules/mod_headers.so > >LoadModule unique_id_module modules/mod_unique_id.so > >LoadModule security2_module modules/mod_security2.so > > > >LoadModule mime_module modules/mod_mime.so > >LoadModule status_module modules/mod_status.so > > > >LoadModule lbmethod_byrequests_module > >modules/mod_lbmethod_byrequests.so > > > >LogLevel debug core:notice > > > >ErrorLogFormat "[%{cu}t] [%-m:%-l] %-a %-L %M" > > > > > >ErrorLog logs/error.log > > > >DocumentRoot /apache/htdocs > > > ># === Start ModSec Configuration > > > >SecRuleEngine On > > > >SecRequestBodyAccess On > >SecRequestBodyLimit 10000000 > >SecRequestBodyNoFilesLimit 64000 > > > >SecResponseBodyAccess On > >SecResponseBodyLimit 10000000 > > > >SecTmpDir /tmp/ > >SecDataDir /tmp/ > >SecUploadDir /tmp/ > > > >SecDebugLog /apache/logs/modsec_debug.log > >SecDebugLogLevel 9 > > > >SecAuditEngine RelevantOnly > >SecAuditLogRelevantStatus "^(?:5|4(?!04))" > >SecAuditLogParts ABEFHIJZ > > > >SecAuditLogType Concurrent > >SecAuditLog /apache/logs/modsec_audit.log > >SecAuditLogStorageDir /apache/logs/audit/ > > > >SecPcreMatchLimit 500000 > >SecPcreMatchLimitRecursion 500000 > > > >SecDefaultAction "phase:2,pass,log" > > > > > >SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index > >of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \ > > "phase:response,\ > > rev:'2',\ > > ver:'OWASP_CRS/3.0.0',\ > > maturity:'9',\ > > accuracy:'9',\ > > t:none,\ > > block,\ > > id:'950110'" > > > > > ><Directory /> > > Options SymLinksIfOwnerMatch > > AllowOverride None > ></Directory> > > > ><VirtualHost *:80> > > ServerName localhost > > > > <Directory /apache/htdocs> > > > > </Directory> > > > ></VirtualHost> > > > > > >$> ./bin/httpd -X -f conf/httpd.conf_problem_of_the_day > >AH00526: Syntax error on line 82 of > >/opt/apache-2.4.18/conf/httpd.conf_problem_of_the_day > >Error parsing actions: Unknown action: \\ > > > >I tried this with 2.4.7 as well. > > > >If I take a single character out of the regex or out of the version > >string (OWASP_CRS...), then the bug disappears. > > > >If I add a space in front of the backslash: bug disappears. > > > >Given the config above, I am quite sure there is a bug hidden somewhere. > >Maybe I am overlooking something and somebody can point me to an > >error. If that is not the case, then I think it is a bug. > > > >David: I suggest you open a bug report. Please open it against > >ModSecurity and not against the Core Rules. > > > >Ahoj, > > > >Christian > > > > > > > > > > > >On Fri, May 27, 2016 at 08:48:31PM -0500, David Angel wrote: > >> Good evening, > >> > >> I originally posted this at > >> http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5l7QuIfKA&s=5&u=http%3a%2f%2fstackoverflow%2ecom%2fquestions%2f37369990%2fmodsecurity-error-parsing-actions-unknown-action > >> and it was suggested to send to this listserv as well. > >> > >> I'm trying to get CRS 3.0.0.-rc1 working with ModSecurity 2.9.1 and Apache > >> 2.4.7 on an Ubuntu 14.04 machine. > >> > >> I'm using all the rules in the /rules directory, and when trying to start > >> Apache I receive the following error. (Note: There is no entry in the > >> Apache error.log file for this.) > >> > >> AH00526: Syntax error on line 35 of > >> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf: > >> Error parsing actions: Unknown action: \\ > >> Action 'configtest' failed. > >> > >> In my troubleshooting of the *RESPONSE-50-DATA-LEAKAGES-PHP.conf > >> *file, I combined line 35 with 34 > >> > >> capture,ctl:auditLogParts=+E,\ > >> > >> just to see if the line error would change (and make sure I was indeed > >> troubleshooting the correct file) and suddenly this error is gone, and > >> is replaced with another. > >> > >> AH00526: Syntax error on line 31 of > >> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES.conf: > >> Error parsing actions: Unknown action: \\ > >> > >> which again is solved by combining with the line above it. > >> > >> accuracy:'9',t:none,\ > >> > >> > >> Now it starts correctly with no error. Needless to say I'm pretty > >> confused about this error, and more confused about the "fix" since I > >> don't understand why removing a single line continuation would matter. > >> > >> Any thoughts on this? Or any suggestions to increase > >> debug\troubleshooting? > >> > >> Thanks, > >> David Angel > > > >> _______________________________________________ > >> Owasp-modsecurity-core-rule-set mailing list > >> Owasp-modsecurity-core-rule-set@lists.owasp.org > >> http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS50vHuBKKQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set > > > > > >-- > >mailto:christian.fol...@netnea.com > >http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5h6QuYRJA&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech > >twitter: @ChrFolini > > > >------------------------------------------------------------------------------ > >What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > >patterns at an interface-level. Reveals which users, apps, and protocols are > >consuming the most bandwidth. Provides multi-vendor support for NetFlow, > >J-Flow, sFlow and other flows. Make informed decisions using capacity > >planning reports. > >http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5svEuhJKA&s=5&u=https%3a%2f%2fad%2edoubleclick%2enet%2fddm%2fclk%2f305295220%3b132659582%3be > >_______________________________________________ > >mod-security-developers mailing list > >mod-security-develop...@lists.sourceforge.net > >http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5ksH-UfdQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers > >ModSecurity Services from Trustwave's SpiderLabs: > >https://www.trustwave.com/spiderLabs.php > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > mod-security-developers mailing list > mod-security-develop...@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
