[Mod-security-developers] Possible bug in ModSec (was: Re: [Owasp-modsecurity-core-rule-set] Error with CRS 3.0.0-rc1 "error parsing actions unknown action \\")

[Christian F. <chr...@ne...>]

David,

Thanks for writing in. I am X-posting this to modsec-dev as well.

Yours is a very strange problem indeed. I am running the 3.0rc1
ruleset in production and have been running dozens of tests without
any issue.

Here is the minimal configuration, which triggered the bug in my
environment (Ubunt 14.04, apache 2.4.7, modsec 2.9.1)

ServerName              localhost
ServerAdmin             root@localhost
ServerRoot              /opt/apache-2.4.18
User                    www-data
Group                   www-data
PidFile			logs/httpd.pid

ServerTokens            Prod
UseCanonicalName        On
TraceEnable             Off

Timeout                 300
MaxClients              100

KeepAlive               On
KeepAliveTimeout        100ms

Listen                  127.0.0.1:80

LoadModule              mpm_prefork_module      modules/mod_mpm_prefork.so
LoadModule              unixd_module            modules/mod_unixd.so
LoadModule              authz_host_module       modules/mod_authz_host.so
LoadModule              log_config_module       modules/mod_log_config.so
LoadModule              logio_module            modules/mod_logio.so

LoadModule              headers_module          modules/mod_headers.so
LoadModule              unique_id_module        modules/mod_unique_id.so
LoadModule              security2_module        modules/mod_security2.so

LoadModule              mime_module             modules/mod_mime.so
LoadModule              status_module           modules/mod_status.so

LoadModule              lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so

LogLevel                        debug core:notice

ErrorLogFormat "[%{cu}t] [%-m:%-l] %-a %-L %M"


ErrorLog                logs/error.log

DocumentRoot            /apache/htdocs

# === Start ModSec Configuration

SecRuleEngine                 On

SecRequestBodyAccess          On
SecRequestBodyLimit           10000000
SecRequestBodyNoFilesLimit    64000

SecResponseBodyAccess         On
SecResponseBodyLimit          10000000

SecTmpDir                     /tmp/
SecDataDir                    /tmp/
SecUploadDir                  /tmp/

SecDebugLog                   /apache/logs/modsec_debug.log
SecDebugLogLevel              9

SecAuditEngine                RelevantOnly
SecAuditLogRelevantStatus     "^(?:5|4(?!04))"
SecAuditLogParts              ABEFHIJZ

SecAuditLogType               Concurrent
SecAuditLog                   /apache/logs/modsec_audit.log
SecAuditLogStorageDir         /apache/logs/audit/

SecPcreMatchLimit             500000
SecPcreMatchLimitRecursion    500000

SecDefaultAction              "phase:2,pass,log"


SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
	"phase:response,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	block,\
	id:'950110'"


<Directory />
        Options SymLinksIfOwnerMatch
        AllowOverride None
</Directory>

<VirtualHost *:80>
        ServerName localhost

        <Directory /apache/htdocs>

        </Directory>

</VirtualHost>


$> ./bin/httpd -X -f conf/httpd.conf_problem_of_the_day
AH00526: Syntax error on line 82 of /opt/apache-2.4.18/conf/httpd.conf_problem_of_the_day
Error parsing actions: Unknown action: \\

I tried this with 2.4.7 as well.

If I take a single character out of the regex or out of the version
string (OWASP_CRS...), then the bug disappears.

If I add a space in front of the backslash: bug disappears.

Given the config above, I am quite sure there is a bug hidden somewhere.
Maybe I am overlooking something and somebody can point me to an
error. If that is not the case, then I think it is a bug.

David: I suggest you open a bug report. Please open it against
ModSecurity and not against the Core Rules.

Ahoj,

Christian





On Fri, May 27, 2016 at 08:48:31PM -0500, David Angel wrote:
> Good evening,
> 
> I originally posted this at
> http://stackoverflow.com/questions/37369990/modsecurity-error-parsing-actions-unknown-action
> and it was suggested to send to this listserv as well.
> 
> I'm trying to get CRS 3.0.0.-rc1 working with ModSecurity 2.9.1 and Apache
> 2.4.7 on an Ubuntu 14.04 machine.
> 
> I'm using all the rules in the /rules directory, and when trying to start
> Apache I receive the following error. (Note: There is no entry in the
> Apache error.log file for this.)
> 
> AH00526: Syntax error on line 35 of
> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf:
> Error parsing actions: Unknown action: \\
> Action 'configtest' failed.
> 
> In my troubleshooting of the *RESPONSE-50-DATA-LEAKAGES-PHP.conf
> *file, I combined line 35 with 34
> 
> capture,ctl:auditLogParts=+E,\
> 
> just to see if the line error would change (and make sure I was indeed
> troubleshooting the correct file) and suddenly this error is gone, and
> is replaced with another.
> 
> AH00526: Syntax error on line 31 of
> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES.conf:
> Error parsing actions: Unknown action: \\
> 
> which again is solved by combining with the line above it.
> 
> accuracy:'9',t:none,\
> 
> 
> Now it starts correctly with no error.  Needless to say I'm pretty
> confused about this error, and more confused about the "fix" since I
> don't understand why removing a single line continuation would matter.
> 
> Any thoughts on this?  Or any suggestions to increase debug\troubleshooting?
> 
> Thanks,
> David Angel

> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owa...@li...
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


-- 
mailto:chr...@ne...
http://www.christian-folini.ch
twitter: @ChrFolini