directive Rules error

[Zoey2936]

Hello, I've tried this plugin today, but got this error:
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /data/etc/modsecurity/crs-plugins/fake-bot-before.conf. Line: 1. Column: 750. Expecting an action, got: @eq 0" "id:9504099,phase:1,pass,nolog,ctl:ruleRemoveById=9504100-9504999" in /data/nginx/proxy_host/10.conf:48
I get similar error with other plugins like nextcloud exclusion

[theseion]

Hi @Zoey2936. Could you please give us more information about your setup?

• which version of CRS are you running (v4 I guess)?
• what does your nginx config look like for loading the CRS configuration?

[dune73]

This is very strange.

What @theseion said.

CRS behaving correctly?

[Zoey2936]

Here is my configuration:

How I build modsec and nginx: https://github.com/ZoeyVid/nginx-quic/blob/latest/Dockerfile
How I add crs v4.0.0: https://github.com/ZoeyVid/NPMplus/blob/c546e853a82ec17dc3377511494c54b055b192e8/Dockerfile#L77
How the main nginx conf looks like: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/nginx.conf
How I load crs: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
How I load crs in nginx: https://github.com/ZoeyVid/NPMplus/blob/c546e853a82ec17dc3377511494c54b055b192e8/backend/templates/proxy_host.conf#L19
How I installed the plugin: https://github.com/ZoeyVid/NPMplus/tree/develop#coreruleset-plugins

sample server block:

server {
    set $forward_scheme http;
    set $server "127.0.0.1";
    set $port <port>;

    listen unix:/run/nginx-1.sock;

    #listen <ipv4-ip>:80;
    #listen [<ipv6-ip>]:80;

    listen <ipv4-ip>:443 ssl;
    listen [<ipv6-ip>]:443 ssl;

    listen <ipv4-ip>:443 quic;
    listen [<ipv6-ip>]:443 quic;

    more_set_headers 'Alt-Svc: h3=":443"; ma=86400';


    server_name <domain>;

    # Certbot TLS
    include conf.d/include/tls-ciphers.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
    ssl_certificate /data/tls/certbot/live/npm-13/fullchain.pem;
    ssl_certificate_key /data/tls/certbot/live/npm-13/privkey.pem;
    ssl_trusted_certificate /data/tls/certbot/live/npm-13/chain.pem;


    more_clear_headers "Expect-CT";
    include conf.d/include/hsts.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf


    # Force TLS
    include conf.d/include/force-tls.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/force-tls.conf


    # Enable Brotli
    include conf.d/include/brotli.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/brotli.conf


    modsecurity on;
    modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf


    include conf.d/include/acme-challenge.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf
    include conf.d/include/block-exploits.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf


    location / {
        include conf.d/include/acme-challenge.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf


        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;


        # Proxy!
        include conf.d/include/proxy.conf; # see: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
    }


    # Custom
    include /data/nginx/custom/server_proxy.conf; # empty
}

[Zoey2936]

and yes crs without plugins works fine

[fzipi]

Thanks for the detailed information!

[dune73]

CC @airween

What do you guys make out of this? I'm puzzled.

[dune73]

Reading your initial error line again, file /data/etc/modsecurity/crs-plugins/fake-bot-before.conf could be completely broken. Please check it and dump it here if an error is not obvious.

[Zoey2936]

[dune73]

Hmm. It says Line: 1. Column: 750. Expecting an action, got: @eq 0".

The problem is, this is not line 1 and it's not Column 750, Rather line 20 and column 30 or so.

Different carriage returns? Different version / location of the file being loaded? I'm a bit at a loss.

Something is amiss, but I think it's rather your set than the plugin, since the plugin file looks cool.

[Zoey2936]

If you want you can try it yourself by deploying NPMplus, enable modsec and crs in a host and upload this pluging and then this error will occur

[dune73]

Sorry, but I do not have the time for that.

What you could do is doing a minimal install - I reckon that would work - and then examine the delta if any.

[Zoey2936]

I've found the error, I've removed the body-decompress plugin and now it works

[azurit]

That is strange. Can anyone test Body Decompress Plugin with nginx? @theseion You mentioned that you use nginx, hm?

[Zoey2936]

nginx reports:

mx:/data/etc/modsecurity/crs-plugins# nginx -t

Include/data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include/usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf
Include/data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

Include/data/etc/modsecurity/crs-plugins/*-after.conf
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf. Line: 7. Column: 331. syntax error, unexpected end of file  in /data/nginx/proxy_host/10.conf:48
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

[Zoey2936]

mybe this issue should be moved to the body decompress repo?

[azurit]

mybe this issue should be moved to the body decompress repo?

@Zoey2936 Yes, sure. Can you, please, close this issue and open a new one in Body Decompress Plugin repository? Thank you.

[Zoey2936]

don't you have the option to transfer this issue? but yes I can open a new issue there

[theseion]

@Zoey2936 out of curiosity, why aren't you using owasp/modsecurity-docker-crs and building your own instead?

[Zoey2936]

@Zoey2936 out of curiosity, why aren't you using owasp/modsecurity-docker-crs and building your own instead?

if you compare the images sizes you will se the reason: https://hub.docker.com/r/owasp/modsecurity-crs/tags?page=1&name=openresty and https://hub.docker.com/r/zoeyvid/nginx-quic/tags

[theseion]

Fair enough. We also appreciate PRs to improve our builds hint hint 😉

[fzipi]

🙏 amen to that.

[theseion]

I'm trying to run your container @Zoey2936, but simply building and running it doesn't work. I probably need to mount some things. Could you post a complete example on how to run the container, so that I can debug the error?

[Zoey2936]

you mean this building this dockerfile? https://github.com/ZoeyVid/nginx-quic/blob/latest/Dockerfile

[theseion]

No, I've built it already. Now I want to run the container to see your error.

[Zoey2936]

just use this compose file: https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml

[theseion]

I've built the container from taht image, yes.

[Zoey2936]

since this images just builds nginx and modsec and in a second dockerfile crs and crowdsec are added

[theseion]

I think I've identified the issue. The SecRuleScript directive needs to have an "action" argument, e.g., id:2,pass. The documentation clearly says that it's optional, but it does not appear to be in ModSecurity v3.

@azurit @airween, what do you think?

@Zoey2936 could you test your setup by modifying body-decompress-before.conf like so (add "pass"):

SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate" \
    "id:9503110,\
    phase:4,\
    pass,\
    nolog,\
    ver:'body-decompress-plugin/1.0.0',\
    chain"
    SecRule RESPONSE_BODY "@rx ^\x1f\x8b" \
        "t:none,\
        chain"
        SecRuleScript body-decompress.lua "pass"

[airween]

I think I've identified the issue. The SecRuleScript directive needs to have an "action" argument, e.g., id:2,pass. The documentation clearly says that it's optional, but it does not appear to be in ModSecurity v3.

Seems like it's not optional (based on the syntax), and regression tests uses actions too, eg here (but all places in the test file).

So yes, looks like it's not optional in v3.

[azurit]

@theseion Cool! Let's wait for @Zoey2936 to confirm it fixes the problem.

[Zoey2936]

I think I've identified the issue. The SecRuleScript directive needs to have an "action" argument, e.g., id:2,pass. The documentation clearly says that it's optional, but it does not appear to be in ModSecurity v3.

@azurit @airween, what do you think?

@Zoey2936 could you test your setup by modifying body-decompress-before.conf like so (add "pass"):

SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate" \
    "id:9503110,\
    phase:4,\
    pass,\
    nolog,\
    ver:'body-decompress-plugin/1.0.0',\
    chain"
    SecRule RESPONSE_BODY "@rx ^\x1f\x8b" \
        "t:none,\
        chain"
        SecRuleScript body-decompress.lua "pass"

it now returns:

nginx: [emerg] "modsecurity_rules_file" directive Disruptive actions can only be specified by chain starter rules. in /data/nginx/proxy_host/19.conf:48
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

[theseion]

Something's up with the parser... @Zoey2936 is right, I had tried SecRuleScript as a standalone rule, which appeared to work. But it will not work as a chain rule, regardless of what the action is. But without action, the parser will fail to parse completely.

[Zoey2936]

so the problem is inside modsecurity v3?

[theseion]

It looks like it. @airween I didn't see an issue immediately in the parser. What I did find out is that for some reason the parser thinks that any action specified for SecRuleScript in a chain rule is disruptive, even though only a couple override the isDisruptive() function. For example, I tested this (nolog is certainly not disruptive):

SecRule REQUEST_FILENAME "@unconditionalMatch" \
  "id:888888,\
  phase:1\
   chain"
  SecRuleScript <path to script> "nolog"

The above leads to the same error:

nginx: [emerg] "modsecurity_rules_file" directive Disruptive actions can only be specified by chain starter rules. in /usr/local/nginx/conf/conf.d/npm.conf:13
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

[dune73]

I think it makes perfect sense to prohibit a nolog in a chain, but the log message is wrong. It's not because it's a disruptive action. It's because it's an action that affects the entire chain and therefore it has to be defined in the starter rule.

Chances are the code around this and all the log messages are a bit of a mess and inconsistent between ModSecurity v2 and v3.

[theseion]

Maybe. I also tried "t:none", so no actions, with the same result.

[Zoey2936]

do you think this can be fixed at some point?

[theseion]

I was hoping that @airween had some insights.

[dune73]

He's buried in work, but I hope he can return to this sooner or later.

[airween]

do you think this can be fixed at some point?

May be. Please open an issue under ModSecurity's repository.

But unfortunately I can't promise that this will be on top.

[Zoey2936]

do you think this can be fixed at some point?

May be. Please open an issue under ModSecurity's repository.

But unfortunately I can't promise that this will be on top.

sorry, but I think I don't know enough how this plugin works to report this bug to the modsec repo

[theseion]

I've opened the issue: owasp-modsecurity/ModSecurity#3108.