On Fri, 2011-11-04 at 17:57 -0500, Ryan Barnett wrote: > On 11/4/11 6:41 PM, "Ross Lawrie" <[email protected]> wrote: > > >On Fri, 2011-11-04 at 16:58 -0500, Ryan Barnett wrote: > >> On 11/4/11 4:29 PM, "Ross Lawrie" <[email protected]> wrote: > >> > >> >Hi, > >> > > >> >I've done some searches hoping to find some help, and while I did find > >>a > >> >reference to the same error earlier in the list, I didn't see a clear > >> >solution - or at least one that seemed clear to me. > >> > > >> >I'm looking at getting ModSecurity upgraded on our web server, using > >> >2.6.2 with the 2.2.0 CRS. What I'm encountering is a Lua error that has > >> >me confused. > >> > > >> > Message: Lua: Script execution failed: attempt to call a nil value > >> > Message: Rule processing failed. > >> > >> Do you happen to have Selinux running? I believe I ran into this > >>recently > >> as well with a Lua script. Although I had set OS level permissions > >>which > >> allowed my Apache user to read/execute the Lua scripts, the Selinux > >> permissions were not set correctly and I got a similar error message. > >>If > >> this is the case, then you will want to execute the chcon command to set > >> appropriate context for the Lua scripts/directory to allow the httpd > >> process to read/execute it. See a similar post here - > >> http://permalink.gmane.org/gmane.comp.apache.mod-security.user/7268 > >> > >> -Ryan > > > >Hi Ryan, > > > >Thanks for the reply, unfortunately selinux is not active on the machine > >in question. Events are successfully going to our SecAuditLogStorageDir, > >so I believe the permissions are okay on it. > > > >I've increased the SecDebugLogLevel to 9, and I think this is the > >relevant entries from the resulting log, not sure if it's of any help: > > > >[04/Nov/2011:15:31:43 --0700] > >[xxxxxxxxx.xxx/sid#36acbf0][rid#3ad72f0][/xxxxxx.cgi][4] Recipe: > >Invoking rule 2ccfde8; [file > >"/usr/local/apache/conf/modsecurity-crs_2.2.0/activated_rules/modsecurity_ > >crs_41_advanced_filters.conf"] [line "17"]. > >[04/Nov/2011:15:31:43 --0700] > >[xxxxxxxxx.xxx/sid#36acbf0][rid#3ad72f0][/xxxxxx.cgi][5] Rule 2ccfde8: > >SecRuleScript "@" "phase:2,log,t:none,pass" > >[04/Nov/2011:15:31:43 --0700] > >[xxxxxxxxx.xxx/sid#36acbf0][rid#3ad72f0][/xxxxxx.cgi][8] Lua: Executing > >script: > >/usr/local/apache/conf/modsecurity-crs_2.2.0/activated_rules/../lua/advanc > >ed_filter_converter.lua > >[04/Nov/2011:15:31:43 --0700] > >[xxxxxxxxx.xxx/sid#36acbf0][rid#3ad72f0][/xxxxxx.cgi][1] Lua: Script > >execution failed: attempt to call a nil value > >[04/Nov/2011:15:31:43 --0700] > >[xxxxxxxxx.xxx/sid#36acbf0][rid#3ad72f0][/xxxxxx.cgi][4] Rule returned > >-1. > >[04/Nov/2011:15:31:43 --0700] > >[xxxxxxxxx.xxx/sid#36acbf0][rid#3ad72f0][/xxxxxx.cgi][1] Rule processing > >failed. > >[04/Nov/2011:15:31:43 --0700] > >[xxxxxxxxx.xxx/sid#36acbf0][rid#3ad72f0][/xxxxxx.cgi][9] Rule failed, > >not chained -> mode NEXT_RULE. > > > >Ross. > > Update the path to Lua in the advanced_filter_converter.lua script to > ensure it matches where the lua binary is installed on your system. See > if that helps. > > -Ryan
Ryan, This did help a little, the path was in need of updating, so I made that change, but the problem persisted. This lead me to try running the lua scripts from the command line which resulted in "module 'rex_pcre' not found". I'm wondering if anyone is aware of a Debian (lenny) rex_pcre package, or an easy way to install it - I've been struggling with the source from http://luaforge.net/projects/lrexlib/ with little luck so far (it's looking like some issues on amd64, but I'm not certain). Appreciate any pointers that anyone might have. Ross. > > > > > > > > > > >> > >> > >> > > >> >This is an installation on a Debian 5.0.9 server, I believe that the > >> >necessary requirements are installed: > >> > > >> >libapr1 : 1.2.12-5+lenny4 > >> >libapr1-dev : 1.2.12-5+lenny4 > >> >libaprutil1 : 1.2.12+dfsg-8+lenny5 > >> >libaprutil1-dev : 1.2.12+dfsg-8+lenny5 > >> >lua5.1 : 5.1.3-1 > >> >liblua5.1-0 : 5.1.3-1 > >> >liblua5.1-0-dev : 5.1.3-1 > >> >libpcre3 : 7.6-2.1 > >> >libpcre3-dev : 7.6-2.1 > >> >libxml2 : 2.6.32.dfsg-5+lenny4 > >> >libxml2-dev : 2.6.32.dfsg-5+lenny4 > >> > > >> >Apache 2.2.21 is installed from source using the following configure: > >> > > >> >./configure \ > >> >--prefix=/usr/local/apache \ > >> >--disable-userdir \ > >> >--enable-rewrite \ > >> >--enable-so \ > >> >--enable-status \ > >> >--enable-info \ > >> >--enable-ssl \ > >> >--enable-cgi \ > >> >--enable-unique-id \ > >> >--enable-mime-magic \ > >> >--with-included-apr \ > >> >--with-pcre=/usr/bin/pcre-config \ > >> >--enable-deflate \ > >> >--enable-expires \ > >> >--enable-headers > >> > > >> >ModSecurity 2.6.2 is installed with the following configure: > >> > > >> >./configure \ > >> >--with-apxs=/usr/local/apache/bin/apxs \ > >> >--with-apr=/usr/local/apache/bin/apr-1-config > >> > > >> >I've only made minor path changes to the ModSecurity config, and a few > >> >rule rewrites for some false positives in the CRS configuration. > >> > > >> >I'm assuming this is a result of > >> >modsecurity_crs_41_advanced_filters.conf somehow, but I'm not entirely > >> >sure how -- or whether this is necessary, or purely optional (although > >> >it's part of the base_rules). > >> > > >> >Appreciate any help or suggestions that anyone can give. > >> > > >> >Ross. > >> > > >> >_______________________________________________ > >> >Owasp-modsecurity-core-rule-set mailing list > >> >[email protected] > >> > >>>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >> > > >> > >> > >> This transmission may contain information that is privileged, > >>confidential, and/or exempt from disclosure under applicable law. If you > >>are not the intended recipient, you are hereby notified that any > >>disclosure, copying, distribution, or use of the information contained > >>herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > >>received this transmission in error, please immediately contact the > >>sender and destroy the material in its entirety, whether in electronic > >>or hard copy format. > >> > > > > > > > > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
