search

Rev3rseSecurity / wordpress-modsecurity-ruleset

ModSecurity Rule Set for WordPress (WPRS)
102 stars 24 forks source link

Invalid transformation function: uppercase #8

Open danfsd opened 5 years ago

danfsd commented 5 years ago

Hi, I'm getting this error when I try to start apache2 with the rulesets defined in this repo:

Aug 02 15:12:09 ip-172-31-9-63 apachectl[4820]: AH00526: Syntax error on line 16 of /home/ubuntu/wordpress-modsecurity-ruleset/03-BRUTEFORCE.conf:
Aug 02 15:12:09 ip-172-31-9-63 apachectl[4820]: Error parsing actions: Invalid transformation function: uppercase
Aug 02 15:12:10 ip-172-31-9-63 apachectl[4820]: Action 'start' failed.
Aug 02 15:12:10 ip-172-31-9-63 apachectl[4820]: The Apache error log may have more information.

Any thoughts?

felipee07 commented 5 years ago

Could you share more details ? like apache version, os, modsecurity version

danfsd commented 5 years ago

OS

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.2 LTS"

Apache

Server version: Apache/2.4.29 (Ubuntu)
Server built:   2019-08-26T13:41:23

ModSecurity

[Mon Sep 09 14:58:40.242726 2019] [:notice] [pid 10029] ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/) configured.
[Mon Sep 09 14:58:40.242877 2019] [:notice] [pid 10029] ModSecurity: APR compiled version="1.6.2"; loaded version="1.6.3"
[Mon Sep 09 14:58:40.242929 2019] [:warn] [pid 10029] ModSecurity: Loaded APR do not match with compiled!
[Mon Sep 09 14:58:40.242995 2019] [:notice] [pid 10029] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.43 2019-02-23"
[Mon Sep 09 14:58:40.243063 2019] [:warn] [pid 10029] ModSecurity: Loaded PCRE do not match with compiled!
[Mon Sep 09 14:58:40.243113 2019] [:notice] [pid 10029] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Sep 09 14:58:40.243170 2019] [:notice] [pid 10029] ModSecurity: YAJL compiled version="2.1.0"
[Mon Sep 09 14:58:40.243228 2019] [:notice] [pid 10029] ModSecurity: LIBXML compiled version="2.9.4"
[Mon Sep 09 14:58:40.243325 2019] [:notice] [pid 10029] ModSecurity: StatusEngine call: "2.9.2,Apache/2.4.29 (Ubuntu),1.6.2/1.6.3,8.39/8.43 2019-02-23,Lua 5.1,2.9.4,51f4f24c9a87ce8649bbc305a411a461e2cab919"
[Mon Sep 09 14:58:40.765884 2019] [:notice] [pid 10029] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Sep 09 14:58:40.857456 2019] [mpm_prefork:notice] [pid 10034] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1c configured -- resuming normal operations

I am almost sure that this error is happening because the DDOS request's payload has an invalid XML structure.

felipee07 commented 5 years ago

@danfsd https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#uppercase

felipee07 commented 5 years ago

Transformation uppercase was added for libmodsecurity (ModSecurity v3). Upgrade or modify this rule.

Amourspirit commented 5 years ago

I am new to modsecurity. What would the modified rule look like here for version 2.9 ( no uppercase )

felipee07 commented 5 years ago

remove "t:uppercase".

Amourspirit commented 5 years ago

Got it. Thanks

Amourspirit commented 5 years ago

I remove upper case and not got the following error AH00526: Syntax error on line 17 of /etc/modsecurity/wp-rules-enabled/03-BRUTEFORCE.conf: apachectl[24659]: ModSecurity: Execution phases can only be specified by chain starter rules.

See: https://pastebin.com/G7F6JRCZ

felipee07 commented 5 years ago

phases can only be specified by chain starter rules.

Remove "phase:2,"

Amourspirit commented 4 years ago

Thanks. My Working Version: https://pastebin.com/dYBqxu84

wesleywh commented 2 years ago

The above included pastebin appears to maybe be older? (Probably is based on the timestamp) It's about ~20 lines shorter.

This same error occurs with modsecurity v3.3.2, apache 2.4.53. Can be fixed by removing t:uppercase from the code in 03-BRUTEFORCE.conf.

After fixing that I also get: ModSecurity: Execution phases can only be specified by chain starter rules.

This is then fixed by removing phase:2 from things that are not the start (first item in the nested set). This is explained here: https://stackoverflow.com/questions/43663373/modsecurity-execution-phases-can-only-be-specified-by-chain-starter-rules

THEN after fixing the above I get:

ModSecurity: Metadata actions (id, rev, msg, tag, severity, ver, accuracy, maturity, logdata)  can only be specified by chain starter rules.

Same situation as above. id:... is used outside the chain start. I removed those additional chain rules.

Then:

ModSecurity: SkipAfter actions can only be specified by chain starter rules.

I got more errors after this. I'm no mod_security expert by any means but it seems like this is so out of date it's un-usable.