Atomicorp

HI,

I am hoping someone could shed some insight to the following issue I am having, but first the basics:

System Details
CentOS - cPanel Server
Apache 2.2
ModSec 2.8.0
PHP 5.4

Now The Problem

Starting apache, yields no start as up with out errors, which incredibly frustrating at first, after some strace shenanigans we found the following:

6808 write(2, "Syntax error on line 122 of /usr/local/apache/conf/asl_rules/modsec/98_asl_adv_redactor.conf:\n", 94) = 94
6808 write(2, "Error creating rule: Error rsub operator parsing input data\n", 60) = 60
6808 select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

Oh thats easy I though, commented out the Include to 98_asl_adv_redactor.conf, and apache is working 100%. After some playing around in the conf file I found that if you comment rule ID 373717, apaceh works, same goes for chain id's 373786 , 310703. But having all three cause apache to not start.

Now the wierd part this is only happening on one of my servers, being relitivly new to ModSecurity, I am gonna assume the rules will need one of the following: Read , Write or Network access.

As Mentioned Hope someone can shed some light on further debugging.

your using modsecurity 2.8.0. thats your problem upgrade to 2.9.0

Thankasfor the reply, i have version 2.8.0 on other servers and I am not seeing this issue ?

I will give the upgrade a try, but I am not hopeful to be honest.

I wanted to put an update here, found I came across another server doing the same thing. As so hastily suggested I upgrade mod_security to 2.9.0 and to my surprise this did not work.

<-- apache start up -->

[Tue May 12 08:43:31 2015] [notice] ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/) configured.
[Tue May 12 08:43:31 2015] [notice] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Tue May 12 08:43:31 2015] [notice] ModSecurity: PCRE compiled version="8.36 "; loaded version="8.36 2014-09-26"
[Tue May 12 08:43:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue May 12 08:43:31 2015] [notice] ModSecurity: LIBXML compiled version="2.9.2"
[Tue May 12 08:43:31 2015] [notice] ModSecurity: Original server signature: Apache

My Work around now is to comment out the following rule:

#eval(function(p,a,c,k,e,d)
#SecRule RESPONSE_BODY "(eval ?\( ?function ?\(p,a,c,k,e,d\))" \
#"chain,id:373786,rev:2,phase:4,severity:4,capture,ctl:auditLogParts=+E,t:none,log,pass,msg:'Atomicorp.com Malware Removal System: Malicious Javascript detected in RESPONSE_BODY and removed',logdata:'%{tx.0}',tag:'no_ar'"
#SecRule STREAM_OUTPUT_BODY "@rsub s/<.script.*eval*(function(p,a,c,k,e,d.*script.*>/<!-- MALICOUS_JAVASCRIPT_REMOVED_RULE_373786 -->/I"

Any further suggestion would help.

I cant reproduce this with 2.7.7, 2.8.0 or 2.9.0. Are you using our rpms or someone elses mod_security builds? The version numbers for the linked libraries arent versions we use, so its possible you have a library problem. Here are the versions we use for each platform:

el5
[Wed May 13 17:53:08 2015] [notice] ModSecurity: PCRE compiled version="6.6 "; loaded version="6.6 06-Feb-2006"
[Wed May 13 17:53:08 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Wed May 13 17:53:08 2015] [notice] ModSecurity: LIBXML compiled version="2.6.29"

el6
[Wed May 13 17:21:09 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
[Wed May 13 17:21:09 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
[Wed May 13 17:21:09 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Wed May 13 17:21:09 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6"


el7
[Wed May 13 18:22:54.228365 2015] [:notice] [pid 7516] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[Wed May 13 18:22:54.228370 2015] [:notice] [pid 7516] ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32 2012-11-30"
[Wed May 13 18:22:54.228373 2015] [:notice] [pid 7516] ModSecurity: LUA compiled version="Lua 5.1"
[Wed May 13 18:22:54.228375 2015] [:notice] [pid 7516] ModSecurity: YAJL compiled version="2.0.4"
[Wed May 13 18:22:54.228377 2015] [:notice] [pid 7516] ModSecurity: LIBXML compiled version="2.9.1"

Library versions are critical because thats what modsecurity actually uses to compile/process the rules, or carry out functions (like xml parsing, or running lua). If theres a problem there, you'll see it show up with weird errors trying to process the rules.

Is it possible for you to use the tested libraries or one of our prebuilt rpms?