Syntax Error line 30: OWASP3/rules/REQUEST-910-IP-REPUTATION.conf

[georgepatterson]

Type of Issue

Possible Bug

Description

Last night (around 11:00AM UTC) we recived an alert from out monitoring that apache had stopped responding. Even though our Level 1 support restarted the server, it still didn't come back. After I logged in I noted the error message of:

AH00526: Syntax error on line 30 of /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-910-IP-REPUTATION.conf:
ModSecurity: Found another rule with the same id

These are on two different lines.

The rule is interesting in that it been put onto as single lines, unlike what;'s provided here..

#SecRule TX:DO_REPUT_BLOCK "@eq 1" "msg:'Request from Known Malicious Client (Based on previous traffic violations).', logdata:'Previous Block Reason: %{ip.reput_block_reason}', severity:'CRITICAL', id:910000, phase:request, block, t:none, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-ip', tag:'IP_REPUTATION/MALICIOUS_CLIENT', setvar:'tx.msg=%{rule.msg}', skipAfter:BEGIN_REQUEST_BLOCKING_EVAL, chain"
#SecRule IP:REPUT_BLOCK_FLAG "@eq 1" "setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"

The hash was added myself, in order to get Apache to restart again.

There are two files, REQUEST-910-IP-REPUTATION.conf and REQUEST-910-IP-REPUTATION.conf.BAD, not sure which one should be deleted (and renamed).

Your Environment

• CRS version (e.g. v3.0.2): 3.0.2
• ModSecurity version (e.g. 2.9.2): 2.9.2
• Web Server and version (e.g. apache 2.4.27): Apache 2.4.38
• Operating System and version: Centos7 (7.6.1810)

I'm not totally familar with Modsecurity rules syntax. Happy to provide the relevant file if required.

Confirmation

[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

[csanders-git]

almost for sure you are including the rules twice. Did you add another config file recently?

[georgepatterson]

We haven't. Instead we have subscribed to the Modsecurty Vendor in WHM Cpanel, which updates daily basis. Cpanel responded with an irrelevant suguestion and kicked me over to here. I'm still pusing them for further information though.

The last update was today at 05:40AM local time. (which was Wednesday 6:40PM UTC)

I did a search for the id 910000 ad founnd it both OWASP3/rules/REQUEST-910-IP-REPUTATION.conf and OWASP3/rules/REQUEST-910-IP-REPUTATION.conf.BAD.

We do not manually edit these files, until this syntax error popped up late last night (local time)

[csanders-git]

do you have access to where these files are included from? typically what this means is that a file has been included twice that duplicates the rules (and thereby IDs)

[georgepatterson]

They are being included from https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS

I am not sure whee these rules are being pulled from. I have permtted cpanel access to the server, so let's see what they come back with. I can't find the cron job that might be running the updates

[csanders-git]

yes, this is all very strange. Let me attempt to help in the mean time.

Typically if it's apache they'll be included from undreneath the http.conf, now this gets tricky cause they could be anywhere under that file (this means that this duplicate could be anywhere). This is generally how this occurs, but it sounds like it was not done via something you manually configured.

[georgepatterson]

I think someone has made a mess of the repository... or a parser on the server is a mess, though give the timestamp is the same, I doubt it.

[root@server rules]# pwd
/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules
[root@server rules]# ls -l
total 824
-rw-rw-rw-. 1 root root 659 Apr 4 05:41 crawlers-user-agents.data
-rw-rw-rw-. 1 root root 551 Apr 4 05:41 iis-errors.data
-rw-rw-rw-. 1 root root 264 Apr 4 05:41 java-code-leakages.data
-rw-rw-rw-. 1 root root 240 Apr 4 05:41 java-errors.data
-rw-rw-rw-. 1 root root 30167 Apr 4 05:41 lfi-os-files.data
-rw-rw-rw-. 1 root root 5409 Apr 4 05:41 php-config-directives.data
-rw-rw-rw-. 1 root root 9144 Apr 4 05:41 php-errors.data
-rw-rw-rw-. 1 root root 589 Apr 4 05:41 php-function-names-933150.data
-rw-rw-rw-. 1 root root 21376 Apr 4 05:41 php-function-names-933151.data
-rw-rw-rw-. 1 root root 224 Apr 4 05:41 php-variables.data
-rw-r--r--. 1 root root 9389 Apr 4 05:41 REQUEST-901-INITIALIZATION.conf
-rw-rw-rw-. 1 root root 10036 Apr 4 05:41 REQUEST-901-INITIALIZATION.conf.BAD
-rw-r--r--. 1 root root 1289 Apr 4 05:41 REQUEST-905-COMMON-EXCEPTIONS.conf
-rw-rw-rw-. 1 root root 1399 Apr 4 05:41 REQUEST-905-COMMON-EXCEPTIONS.conf.BAD
-rw-r--r--. 1 root root 9188 Apr 4 05:41 REQUEST-910-IP-REPUTATION.conf
-rw-rw-rw-. 1 root root 10155 Apr 4 05:41 REQUEST-910-IP-REPUTATION.conf.BAD
-rw-rw-rw-. 1 root root 2679 Apr 4 05:41 REQUEST-911-METHOD-ENFORCEMENT.conf.BAD
-rw-r--r--. 1 root root 8953 Apr 4 05:41 REQUEST-912-DOS-PROTECTION.conf
-rw-rw-rw-. 1 root root 9271 Apr 4 05:41 REQUEST-912-DOS-PROTECTION.conf.BAD
-rw-r--r--. 1 root root 7265 Apr 4 05:41 REQUEST-913-SCANNER-DETECTION.conf
-rw-rw-rw-. 1 root root 7670 Apr 4 05:41 REQUEST-913-SCANNER-DETECTION.conf.BAD
-rw-r--r--. 1 root root 44546 Apr 4 05:41 REQUEST-920-PROTOCOL-ENFORCEMENT.conf
-rw-r--r--. 1 root root 48754 Apr 4 05:41 REQUEST-920-PROTOCOL-ENFORCEMENT.conf.BAD
-rw-r--r--. 1 root root 11797 Apr 4 05:41 REQUEST-921-PROTOCOL-ATTACK.conf
-rw-rw-rw-. 1 root root 12577 Apr 4 05:41 REQUEST-921-PROTOCOL-ATTACK.conf.BAD
-rw-r--r--. 1 root root 6027 Apr 4 05:41 REQUEST-930-APPLICATION-ATTACK-LFI.conf
-rw-rw-rw-. 1 root root 6374 Apr 4 05:41 REQUEST-930-APPLICATION-ATTACK-LFI.conf.BAD
-rw-r--r--. 1 root root 5488 Apr 4 05:41 REQUEST-931-APPLICATION-ATTACK-RFI.conf
-rw-rw-rw-. 1 root root 5774 Apr 4 05:41 REQUEST-931-APPLICATION-ATTACK-RFI.conf.BAD
-rw-rw-rw-. 1 root root 47303 Apr 4 05:41 REQUEST-932-APPLICATION-ATTACK-RCE.conf.BAD
-rw-r--r--. 1 root root 28056 Apr 4 05:41 REQUEST-933-APPLICATION-ATTACK-PHP.conf
-rw-rw-rw-. 1 root root 31226 Apr 4 05:41 REQUEST-933-APPLICATION-ATTACK-PHP.conf.BAD
-rw-r--r--. 1 root root 39280 Apr 4 05:41 REQUEST-941-APPLICATION-ATTACK-XSS.conf
-rw-rw-rw-. 1 root root 41340 Apr 4 05:41 REQUEST-941-APPLICATION-ATTACK-XSS.conf.BAD
-rw-r--r--. 1 root root 52706 Apr 4 05:41 REQUEST-942-APPLICATION-ATTACK-SQLI.conf
-rw-r--r--. 1 root root 57097 Apr 4 05:41 REQUEST-942-APPLICATION-ATTACK-SQLI.conf.BAD
-rw-r--r--. 1 root root 5205 Apr 4 05:41 REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
-rw-rw-rw-. 1 root root 5459 Apr 4 05:41 REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf.BAD
-rw-r--r--. 1 root root 3071 Apr 4 05:41 REQUEST-949-BLOCKING-EVALUATION.conf
-rw-rw-rw-. 1 root root 3190 Apr 4 05:41 REQUEST-949-BLOCKING-EVALUATION.conf.BAD
-rw-r--r--. 1 root root 3703 Apr 4 05:41 RESPONSE-950-DATA-LEAKAGES.conf
-rw-rw-rw-. 1 root root 3812 Apr 4 05:41 RESPONSE-950-DATA-LEAKAGES.conf.BAD
-rw-r--r--. 1 root root 17389 Apr 4 05:41 RESPONSE-951-DATA-LEAKAGES-SQL.conf
-rw-rw-rw-. 1 root root 19941 Apr 4 05:41 RESPONSE-951-DATA-LEAKAGES-SQL.conf.BAD
-rw-r--r--. 1 root root 3487 Apr 4 05:41 RESPONSE-952-DATA-LEAKAGES-JAVA.conf
-rw-rw-rw-. 1 root root 3792 Apr 4 05:41 RESPONSE-952-DATA-LEAKAGES-JAVA.conf.BAD
-rw-r--r--. 1 root root 4901 Apr 4 05:41 RESPONSE-953-DATA-LEAKAGES-PHP.conf
-rw-rw-rw-. 1 root root 5154 Apr 4 05:41 RESPONSE-953-DATA-LEAKAGES-PHP.conf.BAD
-rw-r--r--. 1 root root 5653 Apr 4 05:41 RESPONSE-954-DATA-LEAKAGES-IIS.conf
-rw-rw-rw-. 1 root root 5994 Apr 4 05:41 RESPONSE-954-DATA-LEAKAGES-IIS.conf.BAD
-rw-r--r--. 1 root root 2822 Apr 4 05:41 RESPONSE-959-BLOCKING-EVALUATION.conf
-rw-rw-rw-. 1 root root 2843 Apr 4 05:41 RESPONSE-959-BLOCKING-EVALUATION.conf.BAD
-rw-r--r--. 1 root root 4286 Apr 4 05:41 RESPONSE-980-CORRELATION.conf
-rw-rw-rw-. 1 root root 4410 Apr 4 05:41 RESPONSE-980-CORRELATION.conf.BAD
-rw-rw-rw-. 1 root root 713 Apr 4 05:41 restricted-files.data
-rw-rw-rw-. 1 root root 216 Apr 4 05:41 scanners-headers.data
-rw-rw-rw-. 1 root root 418 Apr 4 05:41 scanners-urls.data
-rw-rw-rw-. 1 root root 4075 Apr 4 05:41 scanners-user-agents.data
-rw-rw-rw-. 1 root root 717 Apr 4 05:41 scripting-user-agents.data
-rw-rw-rw-. 1 root root 1894 Apr 4 05:41 sql-errors.data
-rw-rw-rw-. 1 root root 1981 Apr 4 05:41 sql-function-names.data
-rw-rw-rw-. 1 root root 943 Apr 4 05:41 unix-shell.data
-rw-rw-rw-. 1 root root 3920 Apr 4 05:41 windows-powershell-commands.data

[csanders-git]

that looks fine -- considering that they are likely doing something like include rules/*.conf (also congrats on being ticket 1337)

[theMiddleBlue]

it seems not related to a bug, moreover not related to CRS itself. Closing this for now. Feel free to reopen if you need.