Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid actions break CRS 3.1 on rule 912160 #1831

Closed
csanders-git opened this issue Jul 5, 2018 · 1 comment
Closed

Invalid actions break CRS 3.1 on rule 912160 #1831

csanders-git opened this issue Jul 5, 2018 · 1 comment
Assignees
@zimmerle
Labels
3.x Related to ModSecurity version 3.x
Milestone
v3.0.3

Comments

@csanders-git
Copy link

The following error is encountered while trying to run CRS 3.1

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: owasp-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf. Line: 40. Column: 109. Expecting an action, got:  ,\ in /etc/nginx/nginx.conf:39

The issue comes from the following rule

SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
    "id:954100,\
    phase:4,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'Disclosure of IIS install location',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-iis',\
    tag:'platform-windows',\
    tag:'attack-disclosure',\
    ctl:auditLogParts=+E,\
    rev:3,\
    ver:'OWASP_CRS/3.0.0',\
    severity:'ERROR',\
    chain"
    SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" \
        "setvar:'global.alerted_970018_iisDefLoc',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.outbound_anomaly_score=+%{tx.error_anomaly_score}',\
        setvar:'tx.anomaly_score=+%{tx.error_anomaly_score}'"

The issue appears to be setvar:'global.alerted_970018_iisDefLoc',\. The issue is probably that setvar doesn't support collection assignment.
@csanders-git
Copy link
Author

This rule is using an anti pattern for CRS 3.1 and so we have put in a request to remove this capability, however it is a feature SecRules supports.

SpiderLabs/owasp-modsecurity-crs#1134

@csanders-git csanders-git mentioned this issue Jul 5, 2018
Closed
@zimmerle zimmerle self-assigned this Jul 5, 2018
zimmerle pushed a commit that referenced this issue Sep 11, 2018
parser: Fix simple quote setvar in the end of the line.
764a2e4 
Fix #1831
@zimmerle zimmerle added this to the v3.0.3 milestone Sep 11, 2018
@zimmerle zimmerle added the 3.x Related to ModSecurity version 3.x label Sep 11, 2018
zimmerle pushed a commit that referenced this issue Sep 11, 2018
test case: Adds test case related to #1831
dfbff09
@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
v3.0.3
Development

No branches or pull requests
2 participants
@zimmerle @csanders-git