Syntax Error line 30: OWASP3/rules/REQUEST-910-IP-REPUTATION.conf #1337
Comments
almost for sure you are including the rules twice. Did you add another config file recently? |
We haven't. Instead we have subscribed to the Modsecurty Vendor in WHM Cpanel, which updates daily basis. Cpanel responded with an irrelevant suguestion and kicked me over to here. I'm still pusing them for further information though. The last update was today at 05:40AM local time. (which was Wednesday 6:40PM UTC) I did a search for the id 910000 ad founnd it both OWASP3/rules/REQUEST-910-IP-REPUTATION.conf and OWASP3/rules/REQUEST-910-IP-REPUTATION.conf.BAD. We do not manually edit these files, until this syntax error popped up late last night (local time) |
do you have access to where these files are included from? typically what this means is that a file has been included twice that duplicates the rules (and thereby IDs) |
They are being included from https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS I am not sure whee these rules are being pulled from. I have permtted cpanel access to the server, so let's see what they come back with. I can't find the cron job that might be running the updates |
yes, this is all very strange. Let me attempt to help in the mean time. Typically if it's apache they'll be included from undreneath the http.conf, now this gets tricky cause they could be anywhere under that file (this means that this duplicate could be anywhere). This is generally how this occurs, but it sounds like it was not done via something you manually configured. |
I think someone has made a mess of the repository... or a parser on the server is a mess, though give the timestamp is the same, I doubt it.
|
that looks fine -- considering that they are likely doing something like include rules/*.conf (also congrats on being ticket 1337) |
it seems not related to a bug, moreover not related to CRS itself. Closing this for now. Feel free to reopen if you need. |
Type of Issue
Possible Bug
Description
Last night (around 11:00AM UTC) we recived an alert from out monitoring that apache had stopped responding. Even though our Level 1 support restarted the server, it still didn't come back. After I logged in I noted the error message of:
These are on two different lines.
The rule is interesting in that it been put onto as single lines, unlike what;'s provided here..
The hash was added myself, in order to get Apache to restart again.
There are two files, REQUEST-910-IP-REPUTATION.conf and REQUEST-910-IP-REPUTATION.conf.BAD, not sure which one should be deleted (and renamed).
Your Environment
I'm not totally familar with Modsecurity rules syntax. Happy to provide the relevant file if required.
Confirmation
[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: