Re: [mod-security-users] SecRuleRemoveByTag not working
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SecRuleRemoveByTag not working
|
From: Eirik Ø. - M. <ltn...@an...> - 2018-03-28 20:52:59
|
Hi, >>> Hmm. That is odd. It works for me: >>> >>> $> echo 'SecRuleRemoveByTag "platform-apache"' > /tmp/rule.conf >>> $> /usr/src/modsecurity/modsecurity-v3.0.0/tools/rules-check/modsec-rules-check /tmp/rule.conf >>> : /tmp/rule.conf -- Loaded 0 rules. >>> Test ok. To add to the mystery: # modsec-rules-check 'SecRuleRemoveByTag "attack-injection-php"' : SecRuleRemoveByTag "attack-injection-php" -- RemoveByTagattack-injection-phpLoaded -1 rules. Rules error. File: <<reference missing or not informed>>. Line: 1. Column: 41. syntax error, unexpected end of file Test failed. # echo 'SecRuleRemoveByTag "attack-injection-php"' > t.conf # modsec-rules-check t.conf : t.conf -- RemoveByTagattack-injection-php Loaded -1 rules. Rules error. File: t.conf. Line: 1. Column: 42. syntax error, unexpected end of file Test failed. So it balks on EOF in both cases. >> >> Which version and OS is this? > > $> cat /etc/issue > Ubuntu 16.04.4 LTS \n \l > > $> uname -a > Linux anastasia 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux # uname -a FreeBSD nets-acs.test.modirum.com 10.4-RELEASE-p3 FreeBSD 10.4-RELEASE-p3 #0: Tue Nov 14 09:43:55 UTC 2017 ro...@am...:/usr/obj/usr/src/sys/GENERIC amd64 > $> ldd /usr/src/modsecurity/modsecurity-v3.0.0/tools/rules-check/modsec-rules-check > linux-vdso.so.1 => (0x00007fffad7b2000) > libcurl-gnutls.so.4 => /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 (0x00007f2adaddf000) > libGeoIP.so.1 => /usr/lib/x86_64-linux-gnu/libGeoIP.so.1 (0x00007f2adabae000) > libpcre.so.1 => /usr/local/pcre/lib/libpcre.so.1 (0x00007f2ada990000) > libyajl.so.2 => /usr/lib/x86_64-linux-gnu/libyajl.so.2 (0x00007f2ada785000) > libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f2ada3ca000) > librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f2ada1c2000) > libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f2ad9e40000) > libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2ad9b37000) > libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f2ad9921000) > libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f2ad9704000) > libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2ad933a000) > libidn.so.11 => /usr/lib/x86_64-linux-gnu/libidn.so.11 (0x00007f2ad9107000) > librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1 (0x00007f2ad8eeb000) > libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f2ad8cb5000) > libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f2ad8985000) > libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f2ad873b000) > liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f2ad852c000) > libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f2ad82db000) > libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f2ad80c1000) > libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2ad7ebd000) > libicuuc.so.55 => /usr/lib/x86_64-linux-gnu/libicuuc.so.55 (0x00007f2ad7b29000) > liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f2ad7907000) > /lib64/ld-linux-x86-64.so.2 (0x00007f2adb04c000) > libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007f2ad76d4000) > libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f2ad7454000) > libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f2ad71f0000) > libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f2ad6fdd000) > libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f2ad6d0b000) > libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f2ad6adc000) > libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f2ad68d8000) > libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f2ad66cd000) > libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f2ad64b2000) > libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f2ad6297000) > libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007f2ad6056000) > libicudata.so.55 => /usr/lib/x86_64-linux-gnu/libicudata.so.55 (0x00007f2ad459f000) > libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007f2ad4397000) > libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f2ad4193000) > libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007f2ad3f8a000) > libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007f2ad3d00000) > libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007f2ad3a5e000) > libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007f2ad382b000) > libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007f2ad3615000) > libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007f2ad33ec000) > libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007f2ad31dd000) > libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007f2ad2f92000) > libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f2ad2cbd000) > libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f2ad2a85000) # ldd `which modsec-rules-check` /usr/local/bin/modsec-rules-check: libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0x800958000) libGeoIP.so.1 => /usr/local/lib/libGeoIP.so.1 (0x800bbd000) libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x800e01000) libyajl.so.2 => /usr/local/lib/libyajl.so.2 (0x801079000) libxml2.so.2 => /usr/local/lib/libxml2.so.2 (0x801282000) libz.so.6 => /lib/libz.so.6 (0x80161c000) liblzma.so.5 => /usr/lib/liblzma.so.5 (0x801833000) librt.so.1 => /usr/lib/librt.so.1 (0x801a5c000) libstdc++.so.6 => /usr/local/lib/gcc6/libstdc++.so.6 (0x801c62000) libm.so.5 => /lib/libm.so.5 (0x801ff7000) libgcc_s.so.1 => /usr/local/lib/gcc6/libgcc_s.so.1 (0x802220000) libc.so.7 => /lib/libc.so.7 (0x802436000) libnghttp2.so.14 => /usr/local/lib/libnghttp2.so.14 (0x8027e5000) libssl.so.9 => /usr/local/lib/libssl.so.9 (0x802a0b000) libcrypto.so.9 => /usr/local/lib/libcrypto.so.9 (0x802e00000) libthr.so.3 => /lib/libthr.so.3 (0x803253000) Shorter list but that's a FreeBSD-ism I suppose. Also I know we build our stuff without kerberos which cuts down on deps quite a bit. > I just checked again. SecRuleRemoveByTag works for me. I think you need > to dig down into your problem and if you find it's a bug, then issue a bug > report. Not sure how to dig deeper; this should be a pretty straight-forward use case which I'd expect to "just work". What's the preferred place to post a report? And what details should I give that weren't already given here, if any? /Eirik |
