Re: [mod-security-users] Syntax error for rule by trustwave

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Homesh,

On Tue, Oct 01, 2019 at 01:16:31PM +0530, homesh joshi wrote:

> AH00526: Syntax error on line 13 of /etc/modsecurity/1234.conf:
> SecRule takes two or three arguments, rule target, operator and optional
> action list
> Action 'configtest' failed.
> 
> Line # 13 is
> SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \

yes, this is invalid. The "\" (backslash) char used to indicate to
parser that the next line is part of the current. So, if you want
to continue the list of actions, then it need, elsewhere you
_can_not_ to place that.

As I see your config, the next token is a new "SecRule" option,
therefore this isn't the continuation of the previous line.

May be you might be confused with the 'chain' action, which means
"the next SecRule entity is a continuation of this", but that's
totally different, than the backslash at the EOL.

so, your rules:

> SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \
> SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" "chain,id:'881802',t:none,nolog,pass" \
> SecRule &SESSION:KEY "@eq 1" "chain"
> SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/" "capture,setvar:session.fingerprint_code_sent=1"

in the right form:

> SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none"
> SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" "chain,t:none,nolog,pass"
> SecRule &SESSION:KEY "@eq 1" "chain"
> SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/" "capture,setvar:session.fingerprint_code_sent=1"

also note, that you don't need to put the "id" with same value to
the chained rule - I removed it.

Hope this helps,

a.