AH00526: Syntax error on line 93 of /etc/apache2/modsec/owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf: Error parsing actions: Unknown action: \\ Action 'configtest' failed. The Apache error log may have more information.

[jinji-lab]

Hello,
I'm using kali 2023.I am conducting an experiment on configuring the OWASP rule set in ModSecurity to prevent injection attacks, but I have encountered a problem
I downloaded libapache2-mod-security2，Rename modsecurity.conf-recommended to modsecurity.conf。
I renamed "crs-setup.conf.example" file to "crs-setup.conf". In the "rules" directory, I renamed below files too:

# mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

In apache2 configuration file/etc/apache2 / apache2. Add the code the conf：

<IfModule security2_module>
    Include modsec/owasp-modsecurity-crs/crs-setup.conf
    Include modsec/owasp-modsecurity-crs/rules/*.conf
</IfModule>

The crs-setup.conf file is also edited:

# sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf
# sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf
# sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf
# sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf

I also add a main.conf configuration file under /etc/apache2/modsec:

# Include the recommended configuration
include etc/modsecurity/modsecurity.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
# A  rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

However, I still received an error in the service apache2 restart command:

oot@2cca78e9f6e3:/etc/apache2/modsec/owasp-modsecurity-crs/rules# service apache2 restart * Restarting web server apache2                                                                [fail] 
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 93 of /etc/apache2/modsec/owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf:
Error parsing actions: Unknown action: \\
Action 'configtest' failed.
The Apache error log may have more information.

and this is the line 93 code :

I lack experience, please tell me what I should do?
thank you...

[jinji-lab]

Or can you provide me with a classic tutorial on how to install ModSecurity on Kali Linux and configure it using the OWASP rule set?

[airween]

Hi @jinji-lab,

thanks for reporting.

I have to tell you this is a very weird behavior.

First of all, please clarify what CRS version you use exactly. On the screenshot above I see the version OWASP_CRS/3.2.0, but as I see CRS 3.2 does not have ver action - see the mentioned rule.

Then I don't see why did you include same rule files twice. First when you set this line:

Include modsec/owasp-modsecurity-crs/rules/*.conf

and then when you include these:

include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf

Just a note: I think the best to load the modsecurity.conf first, and later the others.

You wrote that you modified crs-setup.conf - based on your sed commands, you turned off CRS's anomaly scoring mode, right. If that was the aim, then it's okay, I just want to notice you.

So because I don't have any idea what's going on here, could you make that rule as a comment (put a # to beginning of each lines of rule), and see what happens?

Or can you provide me with a classic tutorial on how to install ModSecurity on Kali Linux and configure it using the OWASP rule set?

Not a Kali Linux specified, but please see Coreruleset's documentation. This made for a newer version, but I hope you can find what you want.

[jinji-lab]

Hey @airween
Thank you for your patient response.
I've figured out the steps and discovered while browsing blogs that the issue might have been caused by an incompatible version of Apache.
I eventually resolved the error and completed my experiment.
I apologize for the late reply ,and thank you again.

[airween]

Hi @jinji-lab,

thank you for letting me know this. Feel free to close this issue if you have no questions.