Giters

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

Home Page:https://modsecurity.org/crs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Incompatible with ModSecurity 3.x?

Ziris85 opened this issue · comments

commented

Describe the bug

Forgive me if this is either a question that's already been asked, or has an obvious answer, but I've not been able to find one if so. It doesn't appear that any of these rules are compatible with ModSecurity 3.x:

]# httpd -t
AH00526: Syntax error on line 96 of /opt/rh/httpd24/root/etc/httpd/conf.d/owasp-modsecurity-crs-3.2.0/crs-setup.conf:
Invalid command 'SecDefaultAction', perhaps misspelled or defined by a module not included in the server configuration

Steps to reproduce

I just compiled and installed libmodsecurity v3.0.4, then did the same for the ModSecurity-Apache connector (v0.1.1-beta). I then downloaded and loaded up these rules, with this in my config file:

]# cat httpd-modsecurity3.conf
LoadModule security3_module modules/mod_security3.so

<IfModule security3_module>
        Include conf.d/owasp-modsecurity-crs-3.2.0/crs-setup.conf
        Include conf.d/owasp-modsecurity-crs-3.2.0/rules/*.conf
</IfModule>

Expected behaviour

Configs are loaded without error

Actual behaviour

None of the configurations work. Going through and commenting out the lines that it complains about gives me nothing but commented files and no actual rules.

Your Environment

  • CRS version (e.g., v3.2.0): v3.2.0
  • Paranoia level setting:
  • ModSecurity version (e.g., 2.9.3): v3.0.4
  • Web Server and version (e.g., apache 2.4.41): Apache/2.4.34 (Red Hat)
  • Operating System and version: CentOS 7.8.2003
commented

As you can see in the connector version, this is a beta software. Nobody recommends to use it, please don't do that.

If you want to test it, please read the README of connector. There you can find the relevant keywords what you can use for module.

An example:

<IfModule security3_module>
	modsecurity on
	modsecurity_rules_file /path/to/your/httpd/config/modsecurity_includes.conf
</IfModule>

and put the lines from your module config into modsecurity_includes.conf:

Include conf.d/owasp-modsecurity-crs-3.2.0/crs-setup.conf
Include conf.d/owasp-modsecurity-crs-3.2.0/rules/*.conf

But again: don't use this connector unless you want to play with it/test it. Several important code misses, the library handling is unfinished, and so on...

Please note, that this isn't a CRS related issue, so I'm going to close it.