Logo Questions Linux Laravel Mysql Ubuntu Git Menu

"SecCollectionTimeout is not yet supported" in WAF owasp modsecurity crs with NGINX

I install nginx with WAF (Using Docker)

    mkdir -p /usr/src \
    && cd /usr/src/ \
    && git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity \
    && cd ModSecurity \
    && git submodule init \
    && git submodule update \
    && ./build.sh \
    && ./configure \
    && make -j$(getconf _NPROCESSORS_ONLN) \
    && make install

    ... previous commands to install nginx from source...

    && cd /usr/src \
    && git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git \
    && cd /usr/src/nginx-$NGINX_VERSION \
    && ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx \
    && make modules \
    && cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules \
    && mkdir /etc/nginx/modsec \
    && wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \
    && mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf \
    && sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf \
    && sed -i 's/SecRequestBodyInMemoryLimit 131072//' /etc/nginx/modsec/modsecurity.conf \
    && sed -i 's#SecAuditLog /var/log/modsec_audit.log#SecAuditLog /var/log/nginx/modsec_audit.log#' /etc/nginx/modsec/modsecurity.conf \
    && mkdir /opt \
    && cd /opt \
    && git clone -b v3.0/master --single-branch https://github.com/SpiderLabs/owasp-modsecurity-crs.git \
    && cd owasp-modsecurity-crs/ \
    && cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /opt/owasp-modsecurity-crs/crs-setup.conf

but suddenly began to mark this error:

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /opt/owasp-modsecurity-crs/crs-setup.conf. Line: 96. Column: 43. SecCollectionTimeout is not yet supported.

In documentation:


# -- [[ Collection timeout ]] --------------------------------------------------
# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour)
# to a lower setting which is appropriate to most sites.
# This increases performance by cleaning out stale collection (block) entries.
# This value should be greater than or equal to:
# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and
# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection").
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout

# Please keep this directive uncommented.
# Default: 600 (10 minutes)
SecCollectionTimeout 600


I solve it by adding this line to the command (disabling the rule):

&& sed -i 's/SecCollectionTimeout 600/# SecCollectionTimeout 600/' /opt/owasp-modsecurity-crs/crs-setup.conf

But I do not know what consequences it has, or if it is the correct way to apply it.

Some example of the one that can guide me?

like image 630
nasatome Avatar asked Mar 14 '18 19:03


2 Answers

I think that you need to Re - configure the WAF OWASP to resolve that issue. Check that link for that...

Last time my friend resolve that issue to re configure it ...


like image 123
Sohaib Aslam Avatar answered Sep 27 '22 19:09

Sohaib Aslam

I autorespond:

Source: https://github.com/SpiderLabs/ModSecurity/issues/1705

it happens due the fact that the SecCollectionTimeout directive is not currently configurable on libModSecurity (aka v3) as stated on the reference manual.

Commenting out the SecCollectionTimeout directive on crs-setup.conf solves the problem without side effects.

A change to the parser to avoid the error is underway here. You can also choose to apply this change on the code for now as well. It's already being merged to main.

The funny thing is that the question I did 20 days ago in stackoverflow ... and the issue was raised 22 days ago on github, look for some issue related to "SecCollectionTimeout" and there was nothing related...at that moment

In short, the code you put up is totally functional, so that the one that serves him, the only thing that I did was to recompile the image so that it did pull to the repository of https://github.com/SpiderLabs/ModSecurity and ready

like image 36
nasatome Avatar answered Sep 27 '22 19:09