I am trying to install / configure mod-sec using this tutorial, which uses the OWASP ModSecurity Core Rule Set. However when I go to restart apache, I get the following error:
Syntax error on line 53 of /etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf:
Error parsing actions: Unknown action: ver
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
This is the block of code it is having trouble with: (specifically ver:'OWASP_CRS/2.2.9',\
)
SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\
"msg:'Invalid HTTP Request Line',\
severity:'4',\
id:'960911',\
ver:'OWASP_CRS/2.2.9',\
rev:'2',\
maturity:'9',\
accuracy:'9',\
logdata:'%{request_line}',\
phase:1,\
block,\
t:none,\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
tag:'CAPEC-272',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
I have installed modsec Version: 2.6.3-1ubuntu0.2
so I beleve it should work with the OWASP ModSecurity Core Rule Set
Any ideas on how to get it working? Thanks in advance!
Best Answer
Googling yout error message I found this
and the response is
It looks like the CRS that you are using is too new for the version of mod_security that you have installed. You will need to update to a later version of mod_security or find an older version of the CRS.