ModSecurity: Rule processing failed

energylevel · Unread post by **energylevel** » Sun Dec 19, 2010 7:43 pm

Geting a problem with modsecurity and seeing lots of messages 'ModSecurity: Rule processing failed' in log files, have the latest version from atomic repos

Unread post by **mikeshinn** » Mon Dec 20, 2010 12:27 pm

What version are you using, and which rules?

energylevel · Unread post by **energylevel** » Mon Dec 20, 2010 1:09 pm

Modsecurity 2.5.13 from atomic repos ... rules:

05_asl_exclude.conf
05_asl_scanner.conf
05_asl_user_exclude.conf
10_asl_antimalware.conf
10_asl_rules.conf
20_asl_useragents.conf
30_asl_antispam.conf
40_asl_apache2-rules.conf
50_asl_rootkits.conf
60_asl_recons.conf
99_asl_jitp.conf

Unread post by **mikeshinn** » Mon Dec 20, 2010 3:19 pm

Are you using the real time or delayed rules? And what version of either are you using?

Also, what does your audit_log entry look like? We definitely need the full payload to know whats triggering and why.

energylevel · Unread post by **energylevel** » Mon Dec 20, 2010 5:03 pm

Delayed rules, example audit log:

--e017171a-A--
[19/Dec/2010:22:35:10 +0000] BB2Rb38AAAEAABR17DAAAAAK 11.111.11.253 56020 11.111.11.16 80
--e017171a-B--
GET / HTTP/1.0
User-Agent: check_http/v1991 (nagios-plugins 1.4.12)
Connection: close
Host: 11.111.11.16:80

--e017171a-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 27 Dec 2006 02:00:23 GMT
ETag: "39d8090-33f-64c31bc0"
Accept-Ranges: bytes
Content-Length: 831
Connection: close
Content-Type: text/html

--e017171a-H--
Message: Rule processing failed.
Stopwatch: 1292798110044527 112479 (32361 36463 94655)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (CentOS)

--e017171a-Z--

Unread post by **mikeshinn** » Mon Dec 20, 2010 5:16 pm

Are you running anyone elses rules, and how do you have modsecurity configured?

energylevel · Unread post by **energylevel** » Mon Dec 20, 2010 5:22 pm

No other rules, checked config file exactly as per your Wiki article....

Unread post by **mikeshinn** » Mon Dec 20, 2010 5:57 pm

Which version of the rpm do you have installed, which Linux distro are you running and are you missing any updates to apache? I wonder if this is a bug in apache or mod_sec on your platform - thats not a rule error, thats an engine error and I havent seen that error in years. So it sounds like a bug in either the module, or a total blow out in apache itself - either way its not the rules. Can you send the full rpm -qa for mod_security so we can make sure its not a point release or build error for your distro OS (and dont forget to tell us what distro you are using).

It shouldnt make much of a difference, but make sure you running the latest version of the free/unsupported rules.

Atomicorp

ModSecurity: Rule processing failed

ModSecurity: Rule processing failed

Re: ModSecurity: Rule processing failed

Re: ModSecurity: Rule processing failed

Re: ModSecurity: Rule processing failed

Re: ModSecurity: Rule processing failed

Re: ModSecurity: Rule processing failed

Re: ModSecurity: Rule processing failed

Re: ModSecurity: Rule processing failed