On 1/26/11 7:37 PM, "Chris Swanson" <[email protected]> wrote:
>Hi, we're having a hard time with the new update(s) and Lua in our >testing environment. Here's the error we're seeing in Audit Console, >this is opening up a single transaction: > >Unknown | Lua: Script execution failed: attempt to call a nil value >Unknown | Rule processing failed. A couple questions - 1) Did you modify the path to Lua in the script to point to your local version? 2) Did you install the additional bitop Lua module? http://bitop.luajit.org/ It is specified at the top of the script in a require statement. This is needed for the Octal to Decimal conversions. 3) What was the request that triggered this error? > > >This is happening with modsecurity 2.5.13 and modsec CRS 2.1.1 on our >Debian 5 servers, apache is configured with: > >./configure --prefix=/usr/local/apache --disable-userdir >--enable-rewrite --enable-so --enable-info --enable-status --enable-ssl >--enable-cgi --enable-unique-id --enable-mime-magic --with-included-apr >--with-pcre=/usr/bin/pcre-config --enable-deflate --enable-expires >--enable-headers > >modsecuirty cofigured with: > >./configure --with-apxs=/usr/local/apache/bin/apxs >--with-apr=/usr/local/apache/bin/apr-1-config > > >I've narrowed it down to the include in our http.conf for >modsecurity_crs_41_advanced_filters.conf, which was previously working >as the phpids rules. >Even further, by commenting out this section at the >top of the 41_advanced_filters file everything works fine: > ># Lua script to normalize input payloads ># Based on PHPIDS Converter.php code ># Reference the following whitepaper - ># http://docs.google.com/Doc?id=dd7x5smw_17g9cnx2cn ># >SecRuleScript ../lua/advanced_filter_converter.lua "phase:2,t:none,pass" You can still run it in this manner but since it will NOT be normalizing data in the same way as PHPIDS, there will be a higher % of false positives/false negatives. >SecRule TX:/centrifuge_ratio/ ".*" >"phase:2,t:none,log,capture,msg:'Centrifuge Threshold Alert - Ratio >Value is: %{tx.0}'" > > >Here is the modsecurity includes in our http.conf > >#modsecurity Rules >Include conf/modsecurity.conf >Include conf/modsecurity-crs_2.1.1/*.conf >Include >conf/modsecurity-crs_2.1.1/experimental_rules/modsecurity_crs_41_advanced_ >filters.conf >Include >conf/modsecurity-crs_2.1.1/optional_rules/modsecurity_crs_25_cc_known.conf >Include conf/modsecurity-crs_2.1.1/base_rules/*conf > > >With the same setup and versions Modsecurity/Apache, CRS 2.0.10 worked >perfectly. We could move forward without Lua functionally, but I'm lost >as to why such a big addition would be broken from the get-go. We did put this in the experimental directory after all ;) Seriously, we need more people to field test this new, advanced functionality. I applaud you for jumping in! Don't give up on it, hopefully we can get it working for you. -Ryan >Haven't >been able to find anyone posting with a similar issue so any help would >be greatly appreciated. > > >Thanks, >-Chris > >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
