AH00526: Syntax error on line 829 of...

[hack3rcon]

Hello,
I'm using CentOS 8 x86_64. I created a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d" directory, then downloaded OWASP ModSecurity Rules from "https://coreruleset.org/installation/" and extracted it in the "owasp-modsecurity-crs" directory.
I renamed "crs-setup.conf.example" file to "crs-setup.conf". In the "rules" directory, I renamed below files too:

# mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

I added below lines to "/etc/httpd/conf.d/mod_security.conf" file and restarted my Apache:

IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf

But I got below error:

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─php-fpm.conf
   Active: failed (Result: exit-code) since Wed 2021-03-03 10:23:52 +0330; 13s ago
     Docs: man:httpd.service(8)
  Process: 4023589 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
  Process: 4167747 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 4167747 (code=exited, status=1/FAILURE)
   Status: "Reading configuration..."

Mar 03 10:23:51 extra systemd[1]: Starting The Apache HTTP Server...
Mar 03 10:23:52 extra httpd[4167747]: [Wed Mar 03 10:23:52.263542 2021] [so:warn] [pid 4167747:tid 134683729852736>
Mar 03 10:23:52 extra httpd[4167747]: AH00526: Syntax error on line 829 of /etc/httpd/modsecurity.d/owasp-modsecur>
Mar 03 10:23:52 extra httpd[4167747]: ModSecurity: Found another rule with the same id
Mar 03 10:23:52 extra systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Mar 03 10:23:52 extra systemd[1]: httpd.service: Failed with result 'exit-code'.
Mar 03 10:23:52 extra systemd[1]: Failed to start The Apache HTTP Server.

And line 829 of that file is:

setvar:tx.crs_setup_version=330"

How can I solve it?

Thank you.

[martinhsv]

Hi @hack3rcon ,

The name of the file is cut off in the paste of the log messages, but I'll assume that it's crs-setup.conf.

It is the whole rule/directive that is what ModSecurity is complaining about as opposed to the particular line. I'm assuming the content is something like the following (which is what I have setting that var, although my line numbers are different):

SecAction \
 "id:900990,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_setup_version=330"

The error message that you are seeing ("ModSecurity: Found another rule with the same id") is the key piece of information.

Every SecRule and SecAction should be specified with an "id" in the actions. Each id must be unique across all SecRule and SecAction directives.

If you do indeed have an id specified, things that could go wrong:

• coreruleset has inadvertently assigned that same id number to another SecRule or SecAction somewhere. You could try grep-ing for this
• you are using another ruleset or have a written a custom rule that uses this same id
• you are accidentally including that file multiple times, which is causing modsecurity to see that same SecAction with id 900990 twice

[hack3rcon]

Thank you.
Yes, that file is "crs-setup.conf". I have the number "900990" in below files:

# grep -rl "900990" .
./crs-setup.conf
./owasp-modsecurity-crs/crs-setup.conf

I think, both files are same!!
For installing the ModSecurity, I did:

$ sudo yum install mod_security mod_security_crs

Then downloaded OWASP ModSecurity Rules from "https://coreruleset.org/installation/" and extracted it in the "owasp-modsecurity-crs" directory.

# pwd
/etc/httpd/modsecurity.d
# ls
activated_rules  crs-setup.conf  local_rules  owasp-modsecurity-crs

Is this kind of duplication? When I installed "mod_security_crs" package, do I need download any rules from "https://coreruleset.org/installation/" website?

[martinhsv]

That would be it. I am quite sure you are intended to only have one crs-setup.conf file.

I haven't installed crs from scratch recently, but I'm pretty sure that if you install it from repo (as you have with yum), you should not also do a manual install as described in the link that you cite.

[hack3rcon]

Thank you.
Thus, Must I remove "owasp-modsecurity-crs" directory.
How can I disable ModSecurity temporary?

[hack3rcon]

Thank you.
I removed the rules that I installed manually and problem solved.