[Owasp-modsecurity-core-rule-set] Lua nil value error
RBarnett at trustwave.com
Wed Nov 9 12:55:53 EST 2011
On 11/9/11 12:48 PM, "Ross Lawrie" <ross at sentrypayments.com> wrote:
>On Wed, 2011-11-09 at 10:10 +0200, Josh Amishav-Zlatin wrote:
>> On Tue, Nov 8, 2011 at 6:59 PM, Ross Lawrie <ross at sentrypayments.com>
>> > This did help a little, the path was in need of updating, so I made
>> > change, but the problem persisted. This lead me to try running the lua
>> > scripts from the command line which resulted in "module 'rex_pcre' not
>> > found". I'm wondering if anyone is aware of a Debian (lenny) rex_pcre
>> Hi Ross,
>> Have you tried liblua5.1-rex-pcre0?
>> - Josh
>Unfortunately that package doesn't exist for Debian Lenny (5.0.9). It
>looks like it exists for Squeeze and higher, but at this point I can't
>quite migrate this system to Squeeze. Thanks!
A couple points about the advaced_filter_converter.lua script -
1) As you noted - there are Lua module dependencies. You will need both
rex (for extended regular expressions) and bitop. These modules are
needed in order to properly mimic the data conversion that PHPIDS'
rter.php) is doing.
2) We ran into some issues with that Lua script during the SQL Injection
sons-learned.html) where certain payloads were actually causing the Lua
script to abort... :( This script needs more testing.
3) Due to issue #2, we opted, in the latest CRS, to update the actual
PHPIDS regex filters themselves to try and include the converter logic
within the operator vs. requiring the Lua script to first normalize data.
So, if you are running the latest CRS, you can use the
modsecurity_crs_41_sql_injection_attack.conf file and not need to use the
advanced filters conf.
Hope this info helps.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
More information about the Owasp-modsecurity-core-rule-set