[SOLVED] raspbian, apache2, SecFilter Invalid command

MrUmunhum · 10-18-2012, 01:05 PM

Hi group,

Working with raspbian server trying to get libapache2_modsecurity working. I have /etc/apache2/mods-available/mod_security.load enabled

Code:

LoadFile libxml2.so.2
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

My /etc/modsecurity/modsecurity.conf looks like this:

Code:

root@raspberrypi:~# grep -v '#' /etc/modsecurity/modsecurity.conf | grep -v '^$'
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
     "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir /tmp/
SecDataDir /tmp/
 SecDebugLog /opt/modsecurity/var/log/debug.log
 SecDebugLogLevel 3
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
 SecAuditLogStorageDir /opt/modsecurity/var/audit/
SecArgumentSeparator &
SecCookieFormat 0

But when I try to enter a filter

Code:

 SecFilter /etc/passwd

I get this error

Quote:

root@raspberrypi:~# apache2ctl configtest
Syntax error on line 281 of /etc/apache2/apache2.conf:
Invalid command 'SecFilter', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.

Any ideas on how to fix this? I have it working on my laptop running Fedora 13.

bathory · 10-18-2012, 04:28 PM

Hi,

Quote:

Invalid command 'SecFilter', perhaps misspelled or defined by a module not included in the server configuration

Please note that "SecFilter" is a modsecurity-1.x directive and doesn't exist on modsecurity-2.x. See here the directives available for the latter
If you want to migrate your rules from 1.x to 2.x, read this

Regards

MrUmunhum · 10-18-2012, 06:11 PM

Quote:

Originally Posted by bathory

Hi,

Please note that "SecFilter" is a modsecurity-1.x directive and doesn't exist on modsecurity-2.x. See here the directives available for the latter
If you want to migrate your rules from 1.x to 2.x, read this

Regards

Thanks, I did figure out that I need to use "SecRule" instead of "SecFilter".