Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

modsecurity_crs_21_protocol_anomalies.conf line 106 errors out #19

Closed
twforeman opened this Issue · 1 comment

2 participants

@twforeman

Line 106-107:

SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,block,msg:'Invalid request',id:'960913',severity:'4'"
SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.leakage_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"

When I try to start apache I get:

ModSecurity: Disruptive actions cannot be specified in the logging phase.

Unfortunately removing the block action doesn't work either. I'm pretty new to mod_security, I'm not sure what else is disruptive in that line.

Additionally the comment above this line states that mod_unique_id needs to be patched for this to work, but the gmane post is from 2009. Does this still need patching?

@rcbarnett
Owner

I just updated the rule and changed the block action to pass.
9604ac1

As for mod_unique_id - yes, I believe this is still the case. Unless mod_unique_id is able to generate an id for the transaction, ModSecurity does not see it.

@rcbarnett rcbarnett closed this
@fabiocicerchia fabiocicerchia referenced this issue from a commit in fabiocicerchia/OWASP-CRS
Ryan Barnett Changes block action to pass 9604ac1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.