Was the rule that you commented out already part of a chained ruleset?  This message is normally generated when there are 2 concurrent rules processed that both have the "chain" action specified.
 
--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

 
On 10/26/06, Matt Wrycraft <matt@wrycraft.net> wrote:
I would like to disable this rule from rules.conf

  SecFilterSelective ARGS
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"

However when I hash it and restart Apache, it fails to start with the
following errors:
Starting httpd: Syntax error on line 145 of /etc/modsecurity/rules.conf:
Action "id" cannot be used on a chained rule that did not start the chain

Line 145 is the next line of the file after my hashed out line

SecFilterSelective REQUEST_URI "!(/Count\.cgi)"
"chain,id:300014,rev:1,severity:2,msg:'Generic command line attack filter'"
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|"


Any simple way I can disable the rule without causing an error?  I've
scanned the documentation but remain confused.  Many thanks!

Matt

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users