-1

I was trying to secure my server (apache 2.4.6 on centos 7) with mod_security and OWASP, but after following the instructions and installing OWASP, httpd fails to start with following error message:

Apr 16 02:59:24 systemd[1]: Starting The Apache HTTP Server... Apr 16 02:59:24 httpd[8289]: AH00526: Syntax error on line 56 of /etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf: Apr 16 02:59:24 httpd[8289]: Error creating rule: Failed to resolve operator: detectXSS Apr 16 02:59:24 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Apr 16 02:59:24 kill[8291]: kill: cannot find process "" Apr 16 02:59:24 systemd[1]: httpd.service: control process exited, code=exited status=1 Apr 16 02:59:24 systemd[1]: Failed to start The Apache HTTP Server.

I know there's a similar problem with older mod_secure versions, however, mine is up to date (2.7.3)

Anyone has any idea how to deal with this?

aladar42
  • 1
  • 2

1 Answers1

0

Your ModSecurity (2.7.3) is not up to date. The latest version is 2.9.1: http://modsecurity.org/download.html

The detectXSS syntax was only added in 2.8 https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#detectXSS

I would guess you've used yum package manager to install ModSecurity and despite a "yum update" it's still not updated past 2.7.3? That's a common issue with enterprise package managers which prioritise stability over latest versions.

To install latest version you either need to use a different repository to the official one or download and install ModSecurity from source using commands like below (this assumes your apache is in /usr/local/apache2 but change that location as appropriate):

wget https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz
wget https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz.sha256
sha256sum -c modsecurity-2.9.2.tar.gz.sha256
cd modsecurity-2.9.2
./configure --with-apxs=/usr/local/apache2/bin/apxs
make
sudo make install
cp /usr/local/modsecurity/lib/mod_security2.so /usr/local/apache2/modules
Barry Pollard
  • 4,461
  • 14
  • 26