Skip to main content

OWASP ModSecurity Core Rule Set V3.0 breaks after every update

artidens
When I run "/usr/local/cpanel/scripts/modsec_vendor update OWASP3" I get the following errors: The system failed to update the vendor from the URL http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml warn [modsec_vendor] The system failed to update the vendor from the URL http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml
Also, Apache fails to restart because of missing OWASP3 rules: Syntax error on line 259 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 29 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-901-INITIALIZATION.conf: No such file or directory
The folder /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules becomes empty. To fix this, I must go to WHM -> Security Center -> ModSecurity Vendors and click "Install" on the OWASP3 as it has become uninstalled. This happens basically every night after the WHM update so I have to manually fix it to get Apache running again. Any help?

Comments

7 comments

Date Votes
  • cPanelLauren
    Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!
    0
  • dialhost
    Hello, Did you have any solution for this problem? I had this problem today in the automatic update and apache failed. When checking the update files I noticed several files with the extension conf.BAD
    0
  • cPRex Jurassic Moderator
    @dialhost - if the files are included in the official package from the httpupdate server, they are valid and part of the update. I checked the file on my end and confirmed it just looks like an older version of the configuration.
    0
  • ivan levente
    Same exact issue here happened while running my weekly update this Monday. Site went down at the moment I hit the Provision button for modsec2-rules-owasp-crs. Apache failed to restart due to the same issue mentioned by OP above. Fixed it by clicking on install OWASP3 rules on Modsecurity Vendors page. Though I'm not sure if under these circumstances my existing OWASP rules would be updated at all? Also the update window's last words were: [2021-04-05 04:18:28 +0300] info [xml-api] Verifying : 1:ea-modsec2-rules-owasp-crs-3.3.0-4.el6.cloudlinux.x86_64 1/1 [2021-04-05 04:18:28 +0300] info [xml-api] Failed: [2021-04-05 04:18:28 +0300] info [xml-api] ea-modsec2-rules-owasp-crs.x86_64 1:3.3.0-4.el6.cloudlinux [2021-04-05 04:18:28 +0300] info [xml-api] There were non-fatal errors in the transaction [2021-04-05 04:18:28 +0300] info [xml-api] Finished Transaction [2021-04-05 04:18:28 +0300] info [xml-api] Leaving Shell
    Running WHM 94.0.4 on Cloudlinux 6.10.
    0
  • cPRex Jurassic Moderator
    @ivan levente - the original post is over a year old at this point, so it's unlikely this would be the exact same issue. Could you open a ticket with our team so we could do more investigating on that issue?
    0
  • ivan levente
    @cPRex, I have indeed opened a support ticket and the advice they gave me was to use yum install ea-modsec2-rules-owasp-crs instead of provisioning through EasyApache. Needless to say, that advice was useless because provisioning through EasyApache runs the same yum command internally, which of course failed again. For the record, and to help those with the same issue, I have finally solved this with the help of this article:
    0
  • cPRex Jurassic Moderator
    I'm glad the details in that article helped :D
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post