[Owasp-modsecurity-core-rule-set] Lua nil value error

Ross Lawrie ross at sentrypayments.com
Wed Nov 9 13:34:56 EST 2011


On Wed, 2011-11-09 at 11:55 -0600, Ryan Barnett wrote:
> On 11/9/11 12:48 PM, "Ross Lawrie" <ross at sentrypayments.com> wrote:
> 
> >On Wed, 2011-11-09 at 10:10 +0200, Josh Amishav-Zlatin wrote:
> >> On Tue, Nov 8, 2011 at 6:59 PM, Ross Lawrie <ross at sentrypayments.com>
> >>wrote:
> >>
> >> > This did help a little, the path was in need of updating, so I made
> >>that
> >> > change, but the problem persisted. This lead me to try running the lua
> >> > scripts from the command line which resulted in "module 'rex_pcre' not
> >> > found". I'm wondering if anyone is aware of a Debian (lenny) rex_pcre
> >>
> >> Hi Ross,
> >>
> >> Have you tried liblua5.1-rex-pcre0?
> >>
> >> --
> >>  - Josh
> >
> >Josh,
> >
> >Unfortunately that package doesn't exist for Debian Lenny (5.0.9). It
> >looks like it exists for Squeeze and higher, but at this point I can't
> >quite migrate this system to Squeeze. Thanks!
> >
> >Ross.
> 
> 
> Hey Ross,
> A couple points about the advaced_filter_converter.lua script -
> 
> 1) As you noted - there are Lua module dependencies.  You will need both
> rex (for extended regular expressions) and bitop.  These modules are
> needed in order to properly mimic the data conversion that PHPIDS'
> converter.php script
> (https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/Conve
> rter.php)  is doing.
> 
> 2) We ran into some issues with that Lua script during the SQL Injection
> Challenge
> (http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-les
> sons-learned.html) where certain payloads were actually causing the Lua
> script to abort... :(  This script needs more testing.
> 
> 3) Due to issue #2, we opted, in the latest CRS, to update the actual
> PHPIDS regex filters themselves to try and include the converter logic
> within the operator vs. requiring the Lua script to first normalize data.
> So, if you are running the latest CRS, you can use the
> modsecurity_crs_41_sql_injection_attack.conf file and not need to use the
> advanced filters conf.
> 
> Hope this info helps.
> 
> -Ryan
> 

Great, I'll try rolling out the latest CRS (v2.2.2 right?) and leave out
the advanced_filters. Thanks so much for the help and advice!

Ross.


> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 




More information about the Owasp-modsecurity-core-rule-set mailing list