Hi devs,

after the last update today 6AM in the morning (GMT+1) I received a syntax error and httpd stopped. The rule that is causing the problem:


File: 10_asl_rules.conf
line 494 MATCHED_VARS "!@rx ://%{SERVER_NAME}/"
line 560: MATCHED_VARS "!@rx ://%{SERVER_NAME}/"
line 1203 MATCHED_VARS "!@rx ://%{SERVER_NAME}/"
line 1206 MATCHED_VARS "!@rx ://%{SERVER_NAME}/"

MATCHES_VARS gives me the syntax error:
Error creating rule: Unknown variable: MATCHED_VARS

I modified the file and removed the S, so it says MATCHED_VAR instead.

Is this a correct modification?

Thank you
Oliver

No. MATCHED_VARS, plural, is correct. MATCHED_VAR is not correct. If you are getting this error it means your version of modsecurity is out of date. You need to upgrade to the latest stable release of modsecurity, which is 2.6.3.

If you are running ASL, ASL will keep modsecurity up to date automatically. If you have disabled automatic updates, just run the command:

asl -u

Or, if you are not using ASL then will need to upgrade manually. You can do that by running the command:

yum upgrade mod_security

If you have manually setup modsecurity yourself, then you should upgrade via whatever means you used to install it. Its recommended that you upgrade modsecurity regardless, as a number of new attacks can only be protected against using newer features in modsecurity.

asl-lite will try to prevent this from happening, but its not as robust as ASL. ASL was designed to manage modsecurity, asl-lite is just a rule updater so don't rely on it to do software management like ASL will.

Thanks for the quick reply, I better get busy updating it then.

Cheers!

I had this issue too. Maybe it would be an idea to get the updater to check the modsec version on the server and include a required version in the update. If they don't match don't install the rules and email the user. Much better than waking up to a crashed apache!

Edit: - Just fully read the above posts, might have to look into ASL lite I guess.....

Not exactly true if you installed modsec via cpanel

I installed mod_sec via cpanel, but I'm using asl-lite to automatically update rules and asl-lite still updated the rules. So you might want to check that.

After rebuilding everything including Apache and Mysql and having a heart attack it's now working peachy

Guess I have to rebuild Apache more often so I get the updates

ASL actually can do that since it manages mod_security. I'm not sure we will be able to do the same thing with Rules-only or not.