1

I am trying to install / configure mod-sec using this tutorial, which uses the OWASP ModSecurity Core Rule Set. However when I go to restart apache, I get the following error:

Syntax error on line 53 of /etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf:
Error parsing actions: Unknown action: ver
Action 'configtest' failed.
The Apache error log may have more information.
...fail!

This is the block of code it is having trouble with: (specifically ver:'OWASP_CRS/2.2.9',\)

SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\
  "msg:'Invalid HTTP Request Line',\
  severity:'4',\
  id:'960911',\
  ver:'OWASP_CRS/2.2.9',\
  rev:'2',\
  maturity:'9',\
  accuracy:'9',\
  logdata:'%{request_line}',\
  phase:1,\
  block,\
  t:none,\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
  tag:'CAPEC-272',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"

I have installed modsec Version: 2.6.3-1ubuntu0.2 so I beleve it should work with the OWASP ModSecurity Core Rule Set

Any ideas on how to get it working? Thanks in advance!

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Bob Flemming
  • 1,175
  • 3
  • 13
  • 17

2 Answers2

3

Googling yout error message I found this

...

Now apache fails to start: Sep 30 15:30:14 mydomain httpd[2377]: Syntax error on line 52 of /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf: Sep 30 15:30:14 mydomain httpd[2377]: Error parsing actions: Unknown action: ver

and the response is

This is my bad... CRS v2.2.6 uses some new actions from ModSecurity v2.7.0 -

  • ver
  • maturity
  • accuracy

It looks like the CRS that you are using is too new for the version of mod_security that you have installed. You will need to update to a later version of mod_security or find an older version of the CRS.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • Thanks for your reply....Thats really strange because im using CRS v2.2.5 which should be compatible with my version of mod_sec. Do you know how I can upgrade my version of mod_sec on ubuntu 21.04? using the apt-get install libapache2-mod-security command doesn't get the latest version. – Bob Flemming Jan 07 '14 at 14:09
  • @BobFlemming: The rule you quote says `OWASP_CRS/2.2.9` and I don't use Ubuntu – user9517 Jan 07 '14 at 14:11
  • ah I see. I had some old files still in the /modsecurity/base_rules/ from a previous installation attempt which are coded for version 2.0.7. After deleting these files I have managed to restart apache only to see 404 forbidden errors. Gotta love false positives! – Bob Flemming Jan 07 '14 at 14:42
  • @BobFlemming: Ah yes and now the world of pain begins ... – user9517 Jan 07 '14 at 14:52
3

The OWASP rule set has been upgraded to require modsecurity >= 2.7.

There is a downgrade script in the util/rule-management folder that can automatically downgrade rulesets to be 2.6 compatible.

To downgrade your activated rules just run this comand in the rule directory (requires perl):

perl <PATH_TO_OWASP_RULESET_TGZ>/SpiderLabs-owasp-modsecurity-crs-ebe8790/util/rule-management/remove-2.7-actions.pl -t 2.6 -f .
unicoletti
  • 141
  • 2
  • could you explain the `-t 2.6 -f .` part? – cwd Nov 02 '14 at 20:20
  • -t: target version, -f: file or directory to convert. you can take a look here: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/rule-management/remove-2.7-actions.pl – darko petreski Feb 01 '16 at 14:53