Please keep compatibility with modsecurity 2.6 #9

Closed
sathieu opened this Issue Nov 13, 2012 · 6 comments

Comments

Projects
None yet
4 participants

sathieu commented Nov 13, 2012

Hi,

Some new commit use actions "ver", "maturity" and "accuracy". Those are not available in mod_security 2.6.

Mod_security 2.7 is very new (October 16, 2012) and depending on it will break installations using distribution packages or others.

At least, provide a "2.6" branch to include important fixes like "92c65eba3dc7".

Contributor

rcbarnett commented Dec 19, 2012

Most distribution packagers have upgraded to v2.7.x. What distro repo are you using?

sathieu commented Dec 19, 2012

I use Debian. Debian stable (squeeze) has 2.5.12, and incoming stable (wheezy) has 2.6.6 (See http://packages.debian.org/search?keywords=mod-security&searchon=names&suite=all&section=all).

I will probably write a script that remove all those new actions ("maturity" and "accuracy") and hope it is enough.

Anyway, having a too strong relation between the mod_security engine and the CRS makes upgrade sharder. We previously had to migrate to mod_sec 2.6 because of a new CRS release depending on it, and then old CRS was not working anymore with this new engine (syntax errors). As such we had to migrate all our vhosts to the newest CRS which brought a lot of new false positive. This was a lot of pain.

choffee commented Feb 21, 2013

The same is true for Ubuntu LTS

http://packages.ubuntu.com/precise-updates/libapache2-modsecurity

Looks like they will be around for a bit. Is there some way things like fixed regex's could be backported to a stable repo?

https://launchpad.net/~team-mayhem/+archive/ppa has up2date modsecurity packages, for ubuntu anyway

Contributor

rcbarnett commented Jul 1, 2013

Added script from @sathieu to remove v2.7 actions for use with older ModSecurity installs -

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/rule-management/remove-2.7-actions.pl

rcbarnett closed this Jul 1, 2013

sathieu commented Jul 2, 2013

Thank you.

@fabiocicerchia fabiocicerchia pushed a commit to fabiocicerchia/OWASP-CRS that referenced this issue Nov 6, 2013

@sathieu sathieu Add a converter script for previous modsecurity version 424d504
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment