[Owasp-modsecurity-core-rule-set] Issues with CRS3

Heinrich M. heinrichm001 at t-online.de
Thu Nov 17 13:06:11 UTC 2016


Hi,

Christian confirmed that this is a bug. He opened an issue on github:

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/648

Regards,

Heinrich

Am Dienstag, den 15.11.2016, 17:28 +0000 schrieb Jose Pablo Valcárcel
Lázaro:
> Hello.
> 
> Here there's a example where they use chain:
> https://samhobbs.co.uk/2015/09/example-whitelisting-rules-apache-mods
> ecurity-and-owasp-core-rule-set
> SecRuleUpdateActionById 981175 "chain,deny,status:501"
> 
> Have you tried with chain instead?
> 
> Regards
> 
> El mar., 15 de noviembre de 2016 17:40, Christian Folini <
> christian.folini at netnea.com> escribió:
> 
> > 
> > Hi there,
> > 
> > On Tue, Nov 15, 2016 at 04:44:15PM +0100, Heinrich M. wrote:
> > > 
> > > thank you for your great work! It is just great that there exists
> > > an
> > > open source WAF and a corresponding ruleset! Thank you.
> > You are most welcome. Glad you like it.
> > 
> > > 
> > > I'm quite new to ModSecurity. Today, I found some time to play
> > > around
> > > with ModSecurity and the new CRS release in a basic testing
> > > setup. I
> > > hope that I will be able to introduce ModSec and the CRS3 in some
> > > small
> > > prod environment soon.
> > Please keep us posted about your experience. Us, the dev team has
> > years of experience and this is in fact a big problem as we do not
> > even see the small problems and the many questions that new users
> > like you face. Your perspective is very valuable.
> > 
> > > 
> > > 1. Issue
> > > After including the new CRS rule files, apache didn't fire up.
> > > journalctl provided the following error messages:
> > > 
> > > [...] Syntax error on line 36 of
> > > 
> > /etc/modsecurity/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-
> > LEAKAGES.conf:
> > > 
> > > [...] Error parsing actions: Unknown action: \\
> > > 
> > > Workaround (I don't know what other effects of this might be...):
> > > Adding
> > > a space to line 36 resolved the issue: "t:none, \"
> > This is a known issue with older Apache versions. It is documented
> > in the CRS KNOWN_BUGS file:
> > 
> > > 
> > > * Apache 2.4 prior to 2.4.11 is affected by a bug in parsing
> > > multi-line
> > >  configuration directives, which causes Apache to fail during
> > > startup
> > >  with an error such as:
> > >    Error parsing actions: Unknown action: \\
> > >    Action 'configtest' failed.
> > > ...
> > >  We advise to upgrade your Apache version. If upgrading is not
> > > possible,
> > >  we have provided a script in the util/join-multiline-rules
> > > directory
> > >  which converts the rules into a format that works around the
> > > bug.
> > >  You have to re-run this script whenever you modify or update
> > >  the CRS rules.
> > Your workaround works equally well.
> > 
> > > 
> > > 2. Issue
> > > Changing the blocking actions did not work as documented in
> > > RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
> > > I tried to use the example  "send an error 404" (line 67 and
> > > below).
> > > With the two rules activated, blocking dind't work anymore.
> > > Removing the
> > > "chain" from the actions made blocking work again. The rules then
> > > are as
> > > follows:
> > > 
> > > SecRuleUpdateActionById 949110 "t:none,deny,status:404"
> > > SecRuleUpdateActionById 959100 "t:none,deny,status:404"
> > Ooops. I need to take a look at this. I'll be back.
> > 
> > Ahoj,
> > 
> > Christian
> > 
> > 
> > --
> > Worst-case thinking encourages society to adopt fear as of one
> > of the key principles around which the public, the government
> > and various institutions should organise their lives. It
> > institutionalises insecurity and fosters a mood of confusion
> > and powerlessness. Through popularising the belief that worst
> > cases are normal, it also encourages people to feel defenceless
> > and vulnerable to a wide range of future threats. In all but
> > name, it is an invitation to social paralysis.
> > -- Frank Furedi
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rul
> > e-set
> > 


More information about the Owasp-modsecurity-core-rule-set mailing list