|
From: Christian F. <chr...@ne...> - 2016-05-31 06:47:49
|
Felipe, Thank you for the quick response. Glad this is fixed. A glitch in my lab setup made me believe a new apache showed the same behaviour. But that was a false alarm. Thank you for pointing this out. Cheers, Christian On Tue, May 31, 2016 at 12:34:32AM +0000, Felipe Costa wrote: > Hi Christian, > > It seems to me that this problem is associated with an known Apache issue. > It is related to the utilization of the continuation lines “\\” . > > For further details: https://bz.apache.org/bugzilla/show_bug.cgi?id=55910 > > I made the comment #4 back on 2014: https://bz.apache.org/bugzilla/show_bug.cgi?id=55910#c4 > > I think it is fixed on Apache 2.4.11+. > > Br., > Felipe “Zimmerle” Costa > Security Researcher, Lead Developer ModSecurity. > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > > > > > > > > > On 5/30/16, 5:34 PM, "Christian Folini" <chr...@ne...> wrote: > > >David, > > > >Thanks for writing in. I am X-posting this to modsec-dev as well. > > > >Yours is a very strange problem indeed. I am running the 3.0rc1 > >ruleset in production and have been running dozens of tests without > >any issue. > > > >Here is the minimal configuration, which triggered the bug in my > >environment (Ubunt 14.04, apache 2.4.7, modsec 2.9.1) > > > >ServerName localhost > >ServerAdmin root@localhost > >ServerRoot /opt/apache-2.4.18 > >User www-data > >Group www-data > >PidFile logs/httpd.pid > > > >ServerTokens Prod > >UseCanonicalName On > >TraceEnable Off > > > >Timeout 300 > >MaxClients 100 > > > >KeepAlive On > >KeepAliveTimeout 100ms > > > >Listen 127.0.0.1:80 > > > >LoadModule mpm_prefork_module modules/mod_mpm_prefork.so > >LoadModule unixd_module modules/mod_unixd.so > >LoadModule authz_host_module modules/mod_authz_host.so > >LoadModule log_config_module modules/mod_log_config.so > >LoadModule logio_module modules/mod_logio.so > > > >LoadModule headers_module modules/mod_headers.so > >LoadModule unique_id_module modules/mod_unique_id.so > >LoadModule security2_module modules/mod_security2.so > > > >LoadModule mime_module modules/mod_mime.so > >LoadModule status_module modules/mod_status.so > > > >LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so > > > >LogLevel debug core:notice > > > >ErrorLogFormat "[%{cu}t] [%-m:%-l] %-a %-L %M" > > > > > >ErrorLog logs/error.log > > > >DocumentRoot /apache/htdocs > > > ># === Start ModSec Configuration > > > >SecRuleEngine On > > > >SecRequestBodyAccess On > >SecRequestBodyLimit 10000000 > >SecRequestBodyNoFilesLimit 64000 > > > >SecResponseBodyAccess On > >SecResponseBodyLimit 10000000 > > > >SecTmpDir /tmp/ > >SecDataDir /tmp/ > >SecUploadDir /tmp/ > > > >SecDebugLog /apache/logs/modsec_debug.log > >SecDebugLogLevel 9 > > > >SecAuditEngine RelevantOnly > >SecAuditLogRelevantStatus "^(?:5|4(?!04))" > >SecAuditLogParts ABEFHIJZ > > > >SecAuditLogType Concurrent > >SecAuditLog /apache/logs/modsec_audit.log > >SecAuditLogStorageDir /apache/logs/audit/ > > > >SecPcreMatchLimit 500000 > >SecPcreMatchLimitRecursion 500000 > > > >SecDefaultAction "phase:2,pass,log" > > > > > >SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \ > > "phase:response,\ > > rev:'2',\ > > ver:'OWASP_CRS/3.0.0',\ > > maturity:'9',\ > > accuracy:'9',\ > > t:none,\ > > block,\ > > id:'950110'" > > > > > ><Directory /> > > Options SymLinksIfOwnerMatch > > AllowOverride None > ></Directory> > > > ><VirtualHost *:80> > > ServerName localhost > > > > <Directory /apache/htdocs> > > > > </Directory> > > > ></VirtualHost> > > > > > >$> ./bin/httpd -X -f conf/httpd.conf_problem_of_the_day > >AH00526: Syntax error on line 82 of /opt/apache-2.4.18/conf/httpd.conf_problem_of_the_day > >Error parsing actions: Unknown action: \\ > > > >I tried this with 2.4.7 as well. > > > >If I take a single character out of the regex or out of the version > >string (OWASP_CRS...), then the bug disappears. > > > >If I add a space in front of the backslash: bug disappears. > > > >Given the config above, I am quite sure there is a bug hidden somewhere. > >Maybe I am overlooking something and somebody can point me to an > >error. If that is not the case, then I think it is a bug. > > > >David: I suggest you open a bug report. Please open it against > >ModSecurity and not against the Core Rules. > > > >Ahoj, > > > >Christian > > > > > > > > > > > >On Fri, May 27, 2016 at 08:48:31PM -0500, David Angel wrote: > >> Good evening, > >> > >> I originally posted this at > >> http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5l7QuIfKA&s=5&u=http%3a%2f%2fstackoverflow%2ecom%2fquestions%2f37369990%2fmodsecurity-error-parsing-actions-unknown-action > >> and it was suggested to send to this listserv as well. > >> > >> I'm trying to get CRS 3.0.0.-rc1 working with ModSecurity 2.9.1 and Apache > >> 2.4.7 on an Ubuntu 14.04 machine. > >> > >> I'm using all the rules in the /rules directory, and when trying to start > >> Apache I receive the following error. (Note: There is no entry in the > >> Apache error.log file for this.) > >> > >> AH00526: Syntax error on line 35 of > >> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf: > >> Error parsing actions: Unknown action: \\ > >> Action 'configtest' failed. > >> > >> In my troubleshooting of the *RESPONSE-50-DATA-LEAKAGES-PHP.conf > >> *file, I combined line 35 with 34 > >> > >> capture,ctl:auditLogParts=+E,\ > >> > >> just to see if the line error would change (and make sure I was indeed > >> troubleshooting the correct file) and suddenly this error is gone, and > >> is replaced with another. > >> > >> AH00526: Syntax error on line 31 of > >> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES.conf: > >> Error parsing actions: Unknown action: \\ > >> > >> which again is solved by combining with the line above it. > >> > >> accuracy:'9',t:none,\ > >> > >> > >> Now it starts correctly with no error. Needless to say I'm pretty > >> confused about this error, and more confused about the "fix" since I > >> don't understand why removing a single line continuation would matter. > >> > >> Any thoughts on this? Or any suggestions to increase debug\troubleshooting? > >> > >> Thanks, > >> David Angel > > > >> _______________________________________________ > >> Owasp-modsecurity-core-rule-set mailing list > >> Owa...@li... > >> http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS50vHuBKKQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set > > > > > >-- > >mailto:chr...@ne... > >http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5h6QuYRJA&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech > >twitter: @ChrFolini > > > >------------------------------------------------------------------------------ > >What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > >patterns at an interface-level. Reveals which users, apps, and protocols are > >consuming the most bandwidth. Provides multi-vendor support for NetFlow, > >J-Flow, sFlow and other flows. Make informed decisions using capacity > >planning reports. http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5svEuhJKA&s=5&u=https%3a%2f%2fad%2edoubleclick%2enet%2fddm%2fclk%2f305295220%3b132659582%3be > >_______________________________________________ > >mod-security-developers mailing list > >mod...@li... > >http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5ksH-UfdQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers > >ModSecurity Services from Trustwave's SpiderLabs: > >https://www.trustwave.com/spiderLabs.php > > ________________________________ > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- mailto:chr...@ne... http://www.christian-folini.ch twitter: @ChrFolini |
