Skip to content

Invalid actions break CRS 3.1 on rule 912160 #1830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
csanders-git opened this issue Jul 5, 2018 · 1 comment
Closed

Invalid actions break CRS 3.1 on rule 912160 #1830

csanders-git opened this issue Jul 5, 2018 · 1 comment
Assignees
Labels
3.x Related to ModSecurity version 3.x RIP - libmodsecurity
Milestone

Comments

@csanders-git
Copy link

The following rule will be treated as invalid by LibModSecurity current master + ModSecurity-nginx v1.0.0.

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity.d/include.conf. Line: 14. Column: 29. Expecting an action, got:  ,\ in /etc/nginx/nginx.conf:39

The following is the rule that causes the issues.

SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
    "id:912160,\
    phase:5,\
    pass,\
    t:none,\
    nolog,\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-dos',\
    chain"
    SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
        "setvar:'ip.dos_burst_counter=1',\
        setvar:'!ip.dos_counter',\
        expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"

The lines in question that cause the issue are the last two

        setvar:'!ip.dos_counter',\
        expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"

I hypothosis this is because setvar in libmodsecurity doesn't support setvar with a '!'.
Additionally i'm unsure if expirevar or variables expansion is supported here.

@victorhora
Copy link
Contributor

Fixed as of 764a2e4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.x Related to ModSecurity version 3.x RIP - libmodsecurity
Projects
None yet
Development

No branches or pull requests

2 participants