Thanks, Ramy.
Now I'm past that, and onto the next syntax error:
$ sudo service apache2 restart
[Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded,
skipping
[Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded,
skipping
[Wed Mar 19 09:37:10 2014] [warn] module jrun_module is already loaded,
skipping
Syntax error on line 52 of
/etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf:
Error parsing actions: Unknown action: ver
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
Line 52 is the last of this block:
SecRule REQUEST_LINE
"!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect
(?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get
/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\
"msg:'Invalid HTTP Request Line',\
severity:'4',\
id:'960911',\
ver:'OWASP_CRS/2.2.9',\
rev:'2',\
maturity:'9',\
accuracy:'9',\
logdata:'%{request_line}',\
phase:1,\
block,\
t:none,\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
tag:'CAPEC-272',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
setvar:'tx.%{rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
On Wed, Mar 19, 2014 at 9:31 AM, Ramy Darwish <[email protected]>wrote:
> Woops, that's actually a new contribution by me. My bad.
> I guess a newbie like me needs more supervision on Pull requests =S
>
> The problem is actually on line 49, which specifies a "chain" where it
> should not.
> On line 49, replace:
>
> SecRule TX:1 ".*"
> "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}"
>
> with:
>
> SecRule TX:1 ".*"
> "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}"
>
> Issuing a pull request right now.
>
> So sorry, everyone.
>
> Ramy Darwish
>
>
>
> On 19/03/2014 13:58, Jamie Jackson wrote:
>
> Hi Folks,
>
> [Server version: Apache/2.2.22 (Ubuntu)]
>
> I'm following along with this guide (
> http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server),
> and I got to the apache restart command just before section 5.
>
> However, I'm getting a rule error:
>
> $ sudo service apache2 restart
> [sudo] password for jamie:
> Syntax error on line 51 of
> /etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf:
> ModSecurity: Disruptive actions can only be specified by chain starter
> rules.
> Action 'configtest' failed.
> The Apache error log may have more information.
> ...fail!
>
> The line referenced is the last line of the file (the second of the
> following):
>
> SecRule &SESSION:SESSIONID "@eq 1"
> "chain,phase:5,id:'981064',nolog,pass,t:none"
> SecRule REQUEST_HEADERS:User-Agent ".*"
> "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}"
>
> I have zero experience with ModSecurity yet, so I can't troubleshoot.
>
> Please help me get past this.
>
> Thanks,
> Jamie
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing
> [email protected]https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
