ModSecurity: Disruptive actions can only be specified by chain starter rules

Question

I want to modify the response content using ModSecurity only if the file resides on a particular directory. I implemented the rules like this:

SecRule REQUEST_URI "@contains /admin/" "phase:2,chain,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,log"

SecRule STREAM_OUTPUT_BODY "@rsub s/test/replaced_string/" "phase:4,t:none,log,pass,msg:'String replaced'"

But after writing this rule, when I restart apache2, modsecurity gives me an error: ModSecurity: Disruptive actions can only be specified by chain starter rules. I tried writing the rules other way round too but it didn't help.

Any idea why it happens ?

Answer 1

the problem with your request is that you used pass in the second rule.

Disruptive actions can only be specified by chain starter rules means that disruptive actions (such as pass) can only be specified by chain starter rules (the first rule that starts the chain).

so you cannot use pass in the next rules that are part of a chain.

Answer 2

Your rule makes no sense.

If its in the admin area deny it and look at next rule (chain), where you allow it to pass! Which is it? Block or pass?

Also you can't chain rules from two different phases (phase 2 in first rule in chain and phase 4 in second rule).

I'd suggest you probably want something like this:

SecRule REQUEST_URI "@contains /admin/" "phase:4,chain,t:none,t:urlDecode,t:lowercase,t:normalizePath,pass,log"
    SecRule STREAM_OUTPUT_BODY "@rsub s/test/replaced_string/" "t:none,log,msg:'String replaced'"