This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

ModSecurity: No action id present within the rule

5 posts / 0 new

Topic locked

Last post

#1 Fri, 12/14/2012 - 05:18

stephen.r

ModSecurity: No action id present within the rule

I'm suddenly getting this error:

Syntax error on line 59 of /etc/httpd/conf.d/mod_security.conf: ModSecurity: No action id present within the rule

I applied two updates and tried to add a sub-domain and then this started popping up then I try clicking apply changes in Webmin - Servers - Apache - Apply Changes.

My new sub-domain has not taken effect and I don't want to restart apache in case it now fails to start.

That section of mod_security show:-

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"

With the last line being line 59.

Any help would be greatly appreciated.

Server Info:

  OS: CentOS 6 x64
  Apache Version: 2.2.15 
  Virtualmin: Latest

#2 Fri, 12/14/2012 - 09:02

andreychek

Howdy,

Well, it sounds like something either with mod_security, or the mod_security rules, changed recently.

In a pinch, you can always comment out those lines.

However, searching on the text "REQBODY_PROCESSOR_ERROR" in my mod_security rules dir, that rule on my system looks like this:

SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'"

You could always see if using that works for you. Different mod_security versions use different syntax, so it's possible that neither of the above is correct for your version :-) But it can't hurt to try that out.

-Eric

#3 Fri, 12/14/2012 - 09:57 (Reply to #2)

stephen.r

Seems like I'm missing the ID param in my rules somehow.

Can you copy - paste the whole file? What OS are you on?

#4 Fri, 12/14/2012 - 10:19

andreychek

Well, the ruleset I'm using on my Ubuntu system appears to be organized a different way than what you're using. So it may not work on your system to just copy that file.

However, you can see the current mod_security rules here:

https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/base_rules

The one that you're looking for is part of the file "modsecurity_crs_20_protocol_violations.conf".

-Eric

#5 Fri, 12/14/2012 - 10:39 (Reply to #4)

stephen.r

Super, those rules work fine.

It is actually much larger than the default one I was using which I guess is a good thing.

Many thanks!

Topic locked