[mod-security-users] Syntax error for rule by trustwave
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Syntax error for rule by trustwave
|
From: homesh j. <ho...@gm...> - 2019-10-01 07:46:48
|
Hi, I am trying to implement rules mentioned in the trustwave blog here <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-advanced-topic-of-the-week-detecting-browser-fingerprint-changes-during-sessions/>. But I get the below error when I do service apache2 reload. AH00526: Syntax error on line 13 of /etc/modsecurity/1234.conf: SecRule takes two or three arguments, rule target, operator and optional action list Action 'configtest' failed. Line # 13 is SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \ I was also getting the same error for below line which I commented out as I feel it is not that that useful. ## SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" Below is the entire file content #Step1 ## This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid# SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" "phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar: tx.ua=%{request_headers.user-agent}" ## SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" #Step 2 SecContentInjection On SecStreamOutBodyInspection On SecResponseBodyAccess On SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \ SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" "chain,id:'881802',t:none,nolog,pass" \ SecRule &SESSION:KEY "@eq 1" "chain" \ SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/" "capture,setvar:session.fingerprint_code_sent=1" #Step 3 ## -=[ Save the initial Browser Fingerprint Hash in the Session Collection ]=-# SecRule &SESSION:BROWSER_HASH "@eq 0" "chain,id:'881803',phase:1,t:none,nolog,pass" SecRule REQUEST_COOKIES:BROWSER_HASH ".*" "setvar:session.browser_hash=%{matched_var}" #Step 4 ## -=[ If Browser Fingerprint JS was sent previously, then enforce the # existence of the browser_hash Cookie field. ]=-# #SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" "chain,id:'881804',phase:1,t:none,block,msg:'Warning: Browser Fingering Cookie Missing.'" SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 0" #SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" "chain,id:'881805',phase:1,t:none,block,msg:'Warning: Browser Fingering Cookie Mismatch.',logdata:'Expected Browser Fingerprint: %{session.browser_hash}. Browser Fingerprint Received: %{request_cookies.browser_hash}'" \ #SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 1" "chain" SecRule REQUEST_COOKIES:BROWSER_HASH "!@streq %{session.browser_hash}" Please help me in understanding why I am getting the syntax error. My environment is Ubuntu 18.04 64 bit Apache 2.4.29 Modsecurity version 2.9.2 Thanks, Homesh |
