[Owasp-modsecurity-core-rule-set] Issues with CRS3
heinrichm001 at t-online.de
Tue Nov 15 15:44:15 UTC 2016
thank you for your great work! It is just great that there exists an
open source WAF and a corresponding ruleset! Thank you.
I'm quite new to ModSecurity. Today, I found some time to play around
with ModSecurity and the new CRS release in a basic testing setup. I
hope that I will be able to introduce ModSec and the CRS3 in some small
prod environment soon.
During my first tests, I quickly came across some minor issues with the
CRS3. For reference, that is my setup:
Debian GNU/Linux 8.6 (jessie)
- Apache/2.4.10 (Debian)
- ModSecurity for Apache/2.8.0
both installed with apt.
I cloned the CRS from the github repository today
v3.0/master, Commit 90596883aa103599e2aa046181c5bb79b0b6b19c.
Now, here are my issues...
After including the new CRS rule files, apache didn't fire up.
journalctl provided the following error messages:
[...] Syntax error on line 36 of
[...] Error parsing actions: Unknown action: \\
Workaround (I don't know what other effects of this might be...): Adding
a space to line 36 resolved the issue: "t:none, \"
Changing the blocking actions did not work as documented in
I tried to use the example "send an error 404" (line 67 and below).
With the two rules activated, blocking dind't work anymore. Removing the
"chain" from the actions made blocking work again. The rules then are as
SecRuleUpdateActionById 949110 "t:none,deny,status:404"
SecRuleUpdateActionById 959100 "t:none,deny,status:404"
Please take a look at these issues. Not sure if this happens on other
platforms as well or if something is wrong with my configuration or
whatever... If you need additional information, let me know.
More information about the Owasp-modsecurity-core-rule-set