David,
Thanks for writing in. I am X-posting this to modsec-dev as well.
Yours is a very strange problem indeed. I am running the 3.0rc1
ruleset in production and have been running dozens of tests without
any issue.
Here is the minimal configuration, which triggered the bug in my
environment (Ubunt 14.04, apache 2.4.7, modsec 2.9.1)
ServerName localhost
ServerAdmin root@localhost
ServerRoot /opt/apache-2.4.18
User www-data
Group www-data
PidFile logs/httpd.pid
ServerTokens Prod
UseCanonicalName On
TraceEnable Off
Timeout 300
MaxClients 100
KeepAlive On
KeepAliveTimeout 100ms
Listen 127.0.0.1:80
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule headers_module modules/mod_headers.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
LoadModule mime_module modules/mod_mime.so
LoadModule status_module modules/mod_status.so
LoadModule lbmethod_byrequests_module
modules/mod_lbmethod_byrequests.so
LogLevel debug core:notice
ErrorLogFormat "[%{cu}t] [%-m:%-l] %-a %-L %M"
ErrorLog logs/error.log
DocumentRoot /apache/htdocs
# === Start ModSec Configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 10000000
SecRequestBodyNoFilesLimit 64000
SecResponseBodyAccess On
SecResponseBodyLimit 10000000
SecTmpDir /tmp/
SecDataDir /tmp/
SecUploadDir /tmp/
SecDebugLog /apache/logs/modsec_debug.log
SecDebugLogLevel 9
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABEFHIJZ
SecAuditLogType Concurrent
SecAuditLog /apache/logs/modsec_audit.log
SecAuditLogStorageDir /apache/logs/audit/
SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000
SecDefaultAction "phase:2,pass,log"
SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index
of|>\[To Parent Directory\]<\/[Aa]><br>)" \
"phase:response,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
t:none,\
block,\
id:'950110'"
<Directory />
Options SymLinksIfOwnerMatch
AllowOverride None
</Directory>
<VirtualHost *:80>
ServerName localhost
<Directory /apache/htdocs>
</Directory>
</VirtualHost>
$> ./bin/httpd -X -f conf/httpd.conf_problem_of_the_day
AH00526: Syntax error on line 82 of
/opt/apache-2.4.18/conf/httpd.conf_problem_of_the_day
Error parsing actions: Unknown action: \\
I tried this with 2.4.7 as well.
If I take a single character out of the regex or out of the version
string (OWASP_CRS...), then the bug disappears.
If I add a space in front of the backslash: bug disappears.
Given the config above, I am quite sure there is a bug hidden somewhere.
Maybe I am overlooking something and somebody can point me to an
error. If that is not the case, then I think it is a bug.
David: I suggest you open a bug report. Please open it against
ModSecurity and not against the Core Rules.
Ahoj,
Christian
On Fri, May 27, 2016 at 08:48:31PM -0500, David Angel wrote:
> Good evening,
>
> I originally posted this at
> http://stackoverflow.com/questions/37369990/modsecurity-error-parsing-actions-unknown-action
> and it was suggested to send to this listserv as well.
>
> I'm trying to get CRS 3.0.0.-rc1 working with ModSecurity 2.9.1 and Apache
> 2.4.7 on an Ubuntu 14.04 machine.
>
> I'm using all the rules in the /rules directory, and when trying to start
> Apache I receive the following error. (Note: There is no entry in the
> Apache error.log file for this.)
>
> AH00526: Syntax error on line 35 of
> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf:
> Error parsing actions: Unknown action: \\
> Action 'configtest' failed.
>
> In my troubleshooting of the *RESPONSE-50-DATA-LEAKAGES-PHP.conf
> *file, I combined line 35 with 34
>
> capture,ctl:auditLogParts=+E,\
>
> just to see if the line error would change (and make sure I was indeed
> troubleshooting the correct file) and suddenly this error is gone, and
> is replaced with another.
>
> AH00526: Syntax error on line 31 of
> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES.conf:
> Error parsing actions: Unknown action: \\
>
> which again is solved by combining with the line above it.
>
> accuracy:'9',t:none,\
>
>
> Now it starts correctly with no error. Needless to say I'm pretty
> confused about this error, and more confused about the "fix" since I
> don't understand why removing a single line continuation would matter.
>
> Any thoughts on this? Or any suggestions to increase debug\troubleshooting?
>
> Thanks,
> David Angel
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> [email protected]
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
mailto:[email protected]
http://www.christian-folini.ch
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
