Status of libmodsecurity / ModSecurity 3.0

Howdy guys,

Thanks for these great rules. We are in the process of getting libmodsecurity (ModSecurity v3.0) on our systems. We are using th the nginx connector for libmodsecurity and so far it works decent.

We are doing some testing with the OWASP v3.0 rules and they work flawless with the above setup. The comodo rules do not work out of the box (either the apache or nginx rules). Are there any plans to get them working with v3?

Needless to say I’m willing to work together to get stuff working :stuck_out_tongue:

  • Rodehoed

Can you provide any logs or errors description which you met during of WAF setup process?

Hi TDmitry,

I have this example when including the 00_Init_Initialization.conf

Error code:


2017/01/11 15:27:59 [emerg] 14559#0: "log_not_found" directive Rules error. File: /etc/nginx/ModSecurity.d/comodo/00_Init_Initialization.conf. Line: 22. Column: 63. invalid character t in /etc/nginx/nginx.conf:36

Line 22 in config:


SecAction \
       "id:210000,phase:1,pass,setvar:'tx.max_num_args=100000',nolog,t:'none'"

Update it seems v3 doesn’t like ’ (quotes) in the t parameter. So t:none does works but t:‘none’ does not work. I don’t know if this is by design or a bug yet …

ModSecurity Developer responded to my ticket. You can read it here [libmodsecurity] t: parameter does not accepts quotes in content · Issue #1303 · SpiderLabs/ModSecurity · GitHub

So bottomline the single quoted t: will not work in 3.0 period. Is it possible to remove them from the comodo rules too? It should work without them I guess.

We will check if we are able to fix our ruleset for v3.

We are working on our rules adaptation for ModSecurity V3 and Nginx.