Skip to content


Subversion checkout URL

You can clone with
Download ZIP


modsecurity_crs_21_protocol_anomalies.conf line 106 errors out #19

twforeman opened this Issue · 1 comment

2 participants


Line 106-107:

SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,block,msg:'Invalid request',id:'960913',severity:'4'"
SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.leakage_score=+%{tx.notice_anomaly_score},setvar:tx.%{}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"

When I try to start apache I get:

ModSecurity: Disruptive actions cannot be specified in the logging phase.

Unfortunately removing the block action doesn't work either. I'm pretty new to mod_security, I'm not sure what else is disruptive in that line.

Additionally the comment above this line states that mod_unique_id needs to be patched for this to work, but the gmane post is from 2009. Does this still need patching?


I just updated the rule and changed the block action to pass.

As for mod_unique_id - yes, I believe this is still the case. Unless mod_unique_id is able to generate an id for the transaction, ModSecurity does not see it.

@rcbarnett rcbarnett closed this
@fabiocicerchia fabiocicerchia referenced this issue from a commit in fabiocicerchia/OWASP-CRS
Ryan Barnett Changes block action to pass 9604ac1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.