8000 Unsupported "accuracy" Action in SecRule Configuration · Issue #1104 · corazawaf/coraza · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Unsupported "accuracy" Action in SecRule Configuration #1104
New issue
New issue
Open
Open
Unsupported "accuracy" Action in SecRule Configuration#1104
@tigerwill90

Description

@tigerwill90
tigerwill90
opened on Jul 19, 2024

Description

Hi, I'm new to ModSecurity and Coraza, so please excuse me if this report is not entirely accurate.

I encountered an issue while using Coraza and testing some plugins. It appears that the accuracy action, despite being documented here, is not recognized as valid.

Steps to reproduce

Configure the following rule:

SecRule REQUEST_FILENAME "@rx \.(conf|htaccess|htpass|sql|orig|bak|db|ini|md|log|git|github|swp|DS_STORE)($|/)?" \
        "id:108,\
        phase:1,\
        t:lowercase,t:normalizePath,t:trim,\
        severity:'NOTICE',\
        accuracy:'9',\
        deny,\
        capture,\
        logdata:'Request Filename %{REQUEST_FILENAME}',\
        msg:'Wordpress hardening: denied access to sensitive files'"

The following error is returned:

invalid WAF config from file: failed to parse string: failed to compile the directive \"secrule\": invalid action \"accuracy\

When the accuracy action is removed, the rule compiles successfully.

Interestingly, when trying with the example rule below (from the documentation), it does not return the error:

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
    "id:'958016',phase:2,ver:'CRS/2.2.4,accuracy:'9',maturity:'9',capture,\
    t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,\
    ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',\
    tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',\
    tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',\
    severity:'2',setvar:'tx.msg=%{rule.msg}',\
    setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
    setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
    setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

However, it looks like the ver:'CRS/2.2.4 is missing a ' at the end, so my guess is that the action is not intepreted.

Additionally, I noticed that in the ModSecurity Reference Manual , the ver also end without the ', so I'm not sure if it's something expected.

Expected result

The accuracy action should be supported as documented.

Actual result

The following error is encountered:

invalid WAF config from file: failed to parse string: failed to compile the directive \"secrule\": invalid action \"accuracy\

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0