Invalid actions break CRS 3.1 on rule 912160

[csanders-git]

The following error is encountered while trying to run CRS 3.1

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: owasp-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf. Line: 40. Column: 109. Expecting an action, got:  ,\ in /etc/nginx/nginx.conf:39

The issue comes from the following rule

SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
    "id:954100,\
    phase:4,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'Disclosure of IIS install location',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-iis',\
    tag:'platform-windows',\
    tag:'attack-disclosure',\
    ctl:auditLogParts=+E,\
    rev:3,\
    ver:'OWASP_CRS/3.0.0',\
    severity:'ERROR',\
    chain"
    SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" \
        "setvar:'global.alerted_970018_iisDefLoc',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.outbound_anomaly_score=+%{tx.error_anomaly_score}',\
        setvar:'tx.anomaly_score=+%{tx.error_anomaly_score}'"

The issue appears to be setvar:'global.alerted_970018_iisDefLoc',\. The issue is probably that setvar doesn't support collection assignment.

[csanders-git]

This rule is using an anti pattern for CRS 3.1 and so we have put in a request to remove this capability, however it is a feature SecRules supports.

SpiderLabs/owasp-modsecurity-crs#1134