Issues with ModSecurity's modsecurity.conf-recommended

[kwaping]

I'm trying to load https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e#diff-6e82b229be9e63263c7a16756f7887f6 as a base set of rules to kick off my WAF project. However, there are quite a few errors coming out of lua-resty-waf when reloading my Nginx config related to this file:

nginx -s reload nginx: [warn] [lua] translate.lua:30: warn(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var REQBODY_ERROR nginx: [warn] [lua] translate.lua:30: warn(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var MULTIPART_STRICT_ERROR nginx: [warn] [lua] translate.lua:30: warn(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var MULTIPART_UNMATCHED_BOUNDARY nginx: [warn] [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:997: /usr/local/openresty/site/lualib/resty/waf/translate.lua:864: Cannot translate ctl option requestBodyProcessor nginx: [warn] [lua] waf.lua:714: load_secrules(): SecRule REQUEST_HEADERS:Content-Type (?:application(?:/soap+|/)|text/)xml id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML

nginx: [warn] [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:997: /usr/local/openresty/site/lualib/resty/waf/translate.lua:864: Cannot translate ctl option requestBodyProcessor nginx: [warn] [lua] waf.lua:714: load_secrules(): SecRule REQUEST_HEADERS:Content-Type application/json id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON

nginx: [warn] [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:724: /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var REQBODY_ERROR nginx: [warn] [lua] waf.lua:714: load_secrules(): SecRule REQBODY_ERROR !@eq 0 id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2

nginx: [warn] [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:724: /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var MULTIPART_STRICT_ERROR nginx: [warn] [lua] waf.lua:714: load_secrules(): SecRule MULTIPART_STRICT_ERROR !@eq 0 id:'200003',phase:2,t:none,log,deny,status:400, msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_MISSING_SEMICOLON}, IQ %{MULTIPART_INVALID_QUOTING}, IP %{MULTIPART_INVALID_PART}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'

nginx: [warn] [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:724: /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var MULTIPART_UNMATCHED_BOUNDARY nginx: [warn] [lua] waf.lua:714: load_secrules(): SecRule MULTIPART_UNMATCHED_BOUNDARY !@eq 0 id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'

If you can give me some hints as to how to fix these issues, I will gladly do the work and create a pull request for you. Thanks!

[kwaping]

Sorry, I neglected to RTFM! Specifically https://github.com/p0pr0ck5/lua-resty-waf#rule-definitions and https://github.com/p0pr0ck5/lua-resty-waf/wiki/Known-ModSecurity-Translation-Limitations. Apologies!

[p0pr0ck5]

Yeah, not all operators and collections are going to be translated 100%. If you'd like to contribute to translating any missing elements feel free to submit a PR :)