CODEWITHSUNDEEP
apachehttpd.confmod-securitymod-security2
Rop
Rop

Reputation: 3409

ModSecurity: Execution phases can only be specified by chain starter rules

In modsecurity default-script:

base_rules/modsecurity_crs_20_protocol_violations.conf

there is a rule, 960011:

SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
  "msg:'GET or HEAD Request with Body Content.',\
  severity:'2',\
  id:'960011',\
  ver:'OWASP_CRS/2.2.9',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:1,\
  block,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  chain"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
      "t:none,\
      setvar:'tx.msg=%{rule.msg}',\
      setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
      setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

I only want to disable logging for this rule (it gives too many false positives), and therefore add my own script

base_rules/z99_logging_suppress.conf

to remove the default-rule and create a new identical rule -- only without logging:

SecRuleRemoveById 960011

SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
  "msg:'GET or HEAD Request with Body Content.',\
  severity:'2',\
  id:'9960011',\
  ver:'OWASP_CRS/2.2.9',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:1,\
  block,nolog,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  chain"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
      "t:none,\
      setvar:'tx.msg=%{rule.msg}',\
      setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
      setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

The only differences to the original rule are the new id 9960011, and the nolog additions:

  ...
  id:'9960011',\
  ...
  block,nolog,\
  ...

But when I restart httpd with this additional rule, I get error:

AH00526: Syntax error on line 18 of /path/base_rules/z99_logging_suppress.conf:
ModSecurity: Execution phases can only be specified by chain starter rules.

The same strategy --- SecRuleRemoveById + then re-create it with new id --- works for all other default-rules I tried, but not for this one.

Anyone can tell me why that is?

Upvotes: 0

Views: 2297

Answers (1)

Barry Pollard
Barry Pollard

Reputation: 46040

It basically says that the phase command can only be in the first rule in a chain and not in a subsequent rule which forms part of the chain.

There is nothing wrong with the rule as you have written it, phase is only specified in the first SecRule. In fact I've tried it on my instance and it works. So either one of two things has gone wrong:

  1. You have copied and pasted it incorrectly into this question.
  2. The rule above where you have defined this, has chain in it and so has left an open chain, that your rule 9960011 is then effectively trying to continue on from.

Or something else weird is happening! But I'm going with 1 or 2 for now :-)

Upvotes: 3

Related Questions