Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chaining rules not working in modsecurity 3.0 #1877

Closed
cyberblackhole opened this issue Aug 22, 2018 · 9 comments
Closed

chaining rules not working in modsecurity 3.0 #1877

cyberblackhole opened this issue Aug 22, 2018 · 9 comments
Assignees
@victorhora
Labels
3.x Related to ModSecurity version 3.x Platform - Apache RIP - Type - Usage Related with usage (not a bug)
Milestone
v3.0.3

Comments

@cyberblackhole
Copy link

cyberblackhole commented Aug 22, 2018
edited

Recently I configured mod-security v3/master and Below is my sample.com.conf file.

LoadModule security3_module /home/goron/spiderlabs/ModSecurity-apache/src/.libs/mod_security3.so
        <IfModule security3_module>
                modsecurity_rules 'SecRuleEngine On'
                modsecurity_rules 'SecRequestBodyAccess On'
                modsecurity_rules 'SecResponseBodyAccess On'
                modsecurity_rules_file "/etc/apache2/modsecurity.d/include.conf"
                modsecurity_rules 'SecAuditLogFormat JSON'
        </IfModule>
modsecurity_rules 'SecRule REQUEST_URI "/admin.htm" "phase:1,id:1301,deny,chain"'       
        modsecurity_rules 'SecRule &REQUEST_COOKIES_NAMES:admin "@eq 0" "phase:1"'

The chain rule above is not working.
Let me know what is wrong in it.
@victorhora victorhora self-assigned this Aug 22, 2018
@victorhora victorhora added Platform - Apache 3.x Related to ModSecurity version 3.x RIP - Type - Usage Related with usage (not a bug) labels Aug 22, 2018
@victorhora
Copy link
Contributor

@Goron1606, can you try placing all directives inside the same directive to see if it makes any difference?

Also, try placing chained rules inside the same configuration file (e.g. include.conf) and then loading it with modsecurity_rules_file directive.

@cyberblackhole
Copy link
Author

cyberblackhole commented Aug 23, 2018
edited

@victorhora thank you. Placing them in same directive works with 2.x syntax.. But, Any explanation for why the above syntax doesn't work?

@cyberblackhole
Copy link
Author

How do I write chain rules as below in example.conf file itself?

<VirtualHost *:80>
.
.
<IfModule security3_module>
.
.

modsecurity_rules 'SecRule REQUEST_URI "/admin.htm" "id:1301,deny,chain"'
                  modsecurity_rules 'SecRule &REQUEST_COOKIES_NAMES:admin "@eq 0"'
.
.
<IfModule>
.
.
</VirtualHost>

This gives error as below.

Rules must have an ID.

The same rule works if I place them in separate directive using 2.x syntax.

SecRule REQUEST_URI "/admin.htm" "id:1301,deny,chain"
SecRule &REQUEST_COOKIES_NAMES:admin "@eq 0"

Let me know what to do.

@void-in
Copy link

void-in commented Aug 30, 2018

Try

modsecurity_rules '
SecRule REQUEST_URI "/admin.htm" "id:1301,deny,chain"
    SecRule &REQUEST_COOKIES_NAMES:admin "@eq 0"
'

@cyberblackhole
Copy link
Author

@void-in I get syntax error for your variation.

modsecurity_rules takes one argument, Please ensure that the arugment is specified correctly, including line continuations.

If I modify slightly like below

modsecurity_rules 'SecRule REQUEST_URI "/admin.htm" "id:1301,deny,chain"
    SecRule &REQUEST_COOKIES_NAMES:admin "@eq 0"'

Error:
Invalid command 'SecRule', perhaps misspelled or defined by a module not included in the server configuration

@void-in
Copy link

void-in commented Aug 30, 2018

I just tried the following (note the trailing semicolon) and nginx is not complaining:

modsecurity_rules '
SecRule REQUEST_URI "/admin.htm" "id:1301,deny,chain"
    SecRule &REQUEST_COOKIES_NAMES:admin "@eq 0"
';

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with LibreSSL 2.7.4
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_ssl_module --with-pcre --with-file-aio --with-threads --with-compat --with-http_v2_module --add-dynamic-module=/opt/modsec-git/ModSecurity-nginx/

@cyberblackhole
Copy link
Author

cyberblackhole commented Aug 30, 2018
edited

@void-in Still I face the same Errors.

Am using

  • Apache/2.4.29 (Ubuntu)
  • ModSecurity-Apache v0.1.1-beta
  • modsecurity v3.0.2

@victorhora victorhora added this to the v3.0.3 milestone Sep 12, 2018
@victorhora
Copy link
Contributor

@Goron1606

I believe there's something wrong with your syntax.

If I write your rule using the correct syntax for the modsecurity_rules directive in libModSecurity:

modsecurity_rules 'SecRule REQUEST_URI "/admin.htm" "phase:1,id:1301,deny,chain"
SecRule &REQUEST_COOKIES_NAMES:admin "@eq 0" "phase:1"';

This loads fine on the latest version of libModSecurity.

See https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/README.md, section modsecurity_rules for a syntax reference.

If you still face issues with the rule above, it might be something specifically related with Apache. Being so, please fill an issue at https://github.com/SpiderLabs/ModSecurity-apache.

Thanks.

@cyberblackhole cyberblackhole mentioned this issue Sep 17, 2018
Closed
@cyberblackhole
Copy link
Author

@victorhora . I have tried this earlier. Again I am facing the same syntax error messages. I have raised an issue here. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@victorhora victorhora

Labels
3.x Related to ModSecurity version 3.x Platform - Apache RIP - Type - Usage Related with usage (not a bug)
Projects
None yet
Milestone
v3.0.3
Development

No branches or pull requests
3 participants
@void-in @victorhora @cyberblackhole