Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

modsecurity_crs_21_protocol_anomalies.conf line 106 errors out #19

twforeman opened this Issue Mar 6, 2013 · 1 comment


None yet
2 participants

Line 106-107:

SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,block,msg:'Invalid request',id:'960913',severity:'4'"
SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.leakage_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"

When I try to start apache I get:

ModSecurity: Disruptive actions cannot be specified in the logging phase.

Unfortunately removing the block action doesn't work either. I'm pretty new to mod_security, I'm not sure what else is disruptive in that line.

Additionally the comment above this line states that mod_unique_id needs to be patched for this to work, but the gmane post is from 2009. Does this still need patching?


rcbarnett commented Mar 6, 2013

I just updated the rule and changed the block action to pass.

As for mod_unique_id - yes, I believe this is still the case. Unless mod_unique_id is able to generate an id for the transaction, ModSecurity does not see it.

@rcbarnett rcbarnett closed this Mar 6, 2013

fabiocicerchia pushed a commit to fabiocicerchia/OWASP-CRS that referenced this issue Nov 6, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment