Odd Behaviour with 98_asl_adv_redactor.conf

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
joeblack
New Forum User
New Forum User
Posts: 3
Joined: Fri May 08, 2015 4:15 am
Location: ZA

Odd Behaviour with 98_asl_adv_redactor.conf

Unread post by joeblack »

HI,

I am hoping someone could shed some insight to the following issue I am having, but first the basics:

System Details
CentOS - cPanel Server
Apache 2.2
ModSec 2.8.0
PHP 5.4

Now The Problem

Starting apache, yields no start as up with out errors, which incredibly frustrating at first, after some strace shenanigans we found the following:

6808 write(2, "Syntax error on line 122 of /usr/local/apache/conf/asl_rules/modsec/98_asl_adv_redactor.conf:\n", 94) = 94
6808 write(2, "Error creating rule: Error rsub operator parsing input data\n", 60) = 60
6808 select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

Oh thats easy I though, commented out the Include to 98_asl_adv_redactor.conf, and apache is working 100%. After some playing around in the conf file I found that if you comment rule ID 373717, apaceh works, same goes for chain id's 373786 , 310703. But having all three cause apache to not start.

Now the wierd part this is only happening on one of my servers, being relitivly new to ModSecurity, I am gonna assume the rules will need one of the following: Read , Write or Network access.

As Mentioned Hope someone can shed some light on further debugging.
User avatar
hostingg
Forum User
Forum User
Posts: 63
Joined: Mon Mar 18, 2013 6:26 pm
Location: Earth

Re: Odd Behaviour with 98_asl_adv_redactor.conf

Unread post by hostingg »

your using modsecurity 2.8.0. thats your problem upgrade to 2.9.0
If everything was easy, then the world wouldn't need engineers.
joeblack
New Forum User
New Forum User
Posts: 3
Joined: Fri May 08, 2015 4:15 am
Location: ZA

Re: Odd Behaviour with 98_asl_adv_redactor.conf

Unread post by joeblack »

Thankasfor the reply, i have version 2.8.0 on other servers and I am not seeing this issue ?

I will give the upgrade a try, but I am not hopeful to be honest.
joeblack
New Forum User
New Forum User
Posts: 3
Joined: Fri May 08, 2015 4:15 am
Location: ZA

Re: Odd Behaviour with 98_asl_adv_redactor.conf

Unread post by joeblack »

I wanted to put an update here, found I came across another server doing the same thing. As so hastily suggested I upgrade mod_security to 2.9.0 and to my surprise this did not work.

<-- apache start up -->

[Tue May 12 08:43:31 2015] [notice] ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/) configured.
[Tue May 12 08:43:31 2015] [notice] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Tue May 12 08:43:31 2015] [notice] ModSecurity: PCRE compiled version="8.36 "; loaded version="8.36 2014-09-26"
[Tue May 12 08:43:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue May 12 08:43:31 2015] [notice] ModSecurity: LIBXML compiled version="2.9.2"
[Tue May 12 08:43:31 2015] [notice] ModSecurity: Original server signature: Apache

My Work around now is to comment out the following rule:

#eval(function(p,a,c,k,e,d)
#SecRule RESPONSE_BODY "(eval ?\( ?function ?\(p,a,c,k,e,d\))" \
#"chain,id:373786,rev:2,phase:4,severity:4,capture,ctl:auditLogParts=+E,t:none,log,pass,msg:'Atomicorp.com Malware Removal System: Malicious Javascript detected in RESPONSE_BODY and removed',logdata:'%{tx.0}',tag:'no_ar'"
#SecRule STREAM_OUTPUT_BODY "@rsub s/<.script.*eval*(function(p,a,c,k,e,d.*script.*>/<!-- MALICOUS_JAVASCRIPT_REMOVED_RULE_373786 -->/I"

Any further suggestion would help.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Odd Behaviour with 98_asl_adv_redactor.conf

Unread post by mikeshinn »

I cant reproduce this with 2.7.7, 2.8.0 or 2.9.0. Are you using our rpms or someone elses mod_security builds? The version numbers for the linked libraries arent versions we use, so its possible you have a library problem. Here are the versions we use for each platform:

el5
[Wed May 13 17:53:08 2015] [notice] ModSecurity: PCRE compiled version="6.6 "; loaded version="6.6 06-Feb-2006"
[Wed May 13 17:53:08 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Wed May 13 17:53:08 2015] [notice] ModSecurity: LIBXML compiled version="2.6.29"

el6
[Wed May 13 17:21:09 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
[Wed May 13 17:21:09 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
[Wed May 13 17:21:09 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Wed May 13 17:21:09 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6"


el7
[Wed May 13 18:22:54.228365 2015] [:notice] [pid 7516] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[Wed May 13 18:22:54.228370 2015] [:notice] [pid 7516] ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32 2012-11-30"
[Wed May 13 18:22:54.228373 2015] [:notice] [pid 7516] ModSecurity: LUA compiled version="Lua 5.1"
[Wed May 13 18:22:54.228375 2015] [:notice] [pid 7516] ModSecurity: YAJL compiled version="2.0.4"
[Wed May 13 18:22:54.228377 2015] [:notice] [pid 7516] ModSecurity: LIBXML compiled version="2.9.1"

Library versions are critical because thats what modsecurity actually uses to compile/process the rules, or carry out functions (like xml parsing, or running lua). If theres a problem there, you'll see it show up with weird errors trying to process the rules.

Is it possible for you to use the tested libraries or one of our prebuilt rpms?
Post Reply