Skip to content

Invalid actions break CRS 3.1 on rule 912160 #1830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
csanders-git opened this issue Jul 5, 2018 · 1 comment
Closed

Invalid actions break CRS 3.1 on rule 912160 #1830

csanders-git opened this issue Jul 5, 2018 · 1 comment
Assignees
@victorhora
Labels
3.x Related to ModSecurity version 3.x RIP - libmodsecurity
Milestone
v3.0.3

Comments

@csanders-git
Copy link

The following rule will be treated as invalid by LibModSecurity current master + ModSecurity-nginx v1.0.0.

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity.d/include.conf. Line: 14. Column: 29. Expecting an action, got:  ,\ in /etc/nginx/nginx.conf:39

The following is the rule that causes the issues.

SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
    "id:912160,\
    phase:5,\
    pass,\
    t:none,\
    nolog,\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-dos',\
    chain"
    SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
        "setvar:'ip.dos_burst_counter=1',\
        setvar:'!ip.dos_counter',\
        expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"

The lines in question that cause the issue are the last two

        setvar:'!ip.dos_counter',\
        expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"

I hypothosis this is because setvar in libmodsecurity doesn't support setvar with a '!'.
Additionally i'm unsure if expirevar or variables expansion is supported here.
@csanders-git csanders-git mentioned this issue Jul 5, 2018
Closed
@victorhora victorhora self-assigned this Jul 16, 2018
@victorhora victorhora added 3.x Related to ModSecurity version 3.x RIP - libmodsecurity labels Jul 16, 2018
@victorhora victorhora mentioned this issue Jul 16, 2018
Closed
@victorhora victorhora added this to the v3.0.3 milestone Sep 11, 2018
@victorhora
Copy link
Contributor

Fixed as of 764a2e4

@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@victorhora victorhora

Labels
3.x Related to ModSecurity version 3.x RIP - libmodsecurity
Projects
None yet
Milestone
v3.0.3
Development

No branches or pull requests
2 participants
@csanders-git @victorhora