[Owasp-modsecurity-core-rule-set] Issues with CRS3

Heinrich M. heinrichm001 at t-online.de
Tue Nov 15 15:44:15 UTC 2016


Hi Guys,

thank you for your great work! It is just great that there exists an
open source WAF and a corresponding ruleset! Thank you.

I'm quite new to ModSecurity. Today, I found some time to play around
with ModSecurity and the new CRS release in a basic testing setup. I
hope that I will be able to introduce ModSec and the CRS3 in some small
prod environment soon.

During my first tests, I quickly came across some minor issues with the
CRS3. For reference, that is my setup:

Debian GNU/Linux 8.6 (jessie)
 - Apache/2.4.10 (Debian)
 - ModSecurity for Apache/2.8.0
both installed with apt.

I cloned the CRS from the github repository today
(https://github.com/SpiderLabs/owasp-modsecurity-crs.git), branch
v3.0/master, Commit 90596883aa103599e2aa046181c5bb79b0b6b19c.

Now, here are my issues...

1. Issue
After including the new CRS rule files, apache didn't fire up.
journalctl provided the following error messages:

[...] Syntax error on line 36 of
/etc/modsecurity/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf:
[...] Error parsing actions: Unknown action: \\

Workaround (I don't know what other effects of this might be...): Adding
a space to line 36 resolved the issue: "t:none, \"

2. Issue
Changing the blocking actions did not work as documented in
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
I tried to use the example  "send an error 404" (line 67 and below).
With the two rules activated, blocking dind't work anymore. Removing the
"chain" from the actions made blocking work again. The rules then are as
follows:

SecRuleUpdateActionById 949110 "t:none,deny,status:404"
SecRuleUpdateActionById 959100 "t:none,deny,status:404"


Please take a look at these issues. Not sure if this happens on other
platforms as well or if something is wrong with my configuration or
whatever... If you need additional information, let me know.

Best Regards,

Heinrich



More information about the Owasp-modsecurity-core-rule-set mailing list