Description
Hello everybody
I am using modsecurity v3.0.5 with nginx v1.20.1.
When I tried to test nginx configuration, I had problem with two rules. I can't understand what the problem is.
First rule is:
SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" \
"id:234790,chain,msg:'RCE in Drag and Drop File Upload Contact Form 1.3.3.2 Plugin for WordPress||%{tx.domain}|%{tx.mode}|2',phase:2,block,log,t:none,t:urlDecode,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'WPPlugin'"
SecRule ARGS:action "@streq dnd_codedropz_upload" \
"chain,t:none,t:urlDecode"
SecRule &ARGS:upload-file "@ge 1" \
"chain,t:none"
SecRule ARGS:supported_type|ARGS:filename "@contains %" \
"t:none,t:urlDecode"
and result of nginx test is:
nginx: the configuration file /nginx/conf/nginx.conf syntax is ok
nginx: configuration file /nginx/conf/nginx.conf test is successful t:none,t:urlDecode
The syntax test is ok but what are these two words at the end of the result: t:none,t:urlDecode
And the second rule is:
SecRule TX:drupal_xmlrpc "@eq 1" \ "id:231011,chain,msg:'Brute-Force Amplification in Drupal 6.x before 6.38 and 7.x before 7.43 (CVE-2016-3163)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'Drupal'" SecRule REQBODY_ERROR "@eq 0" \ "chain,t:none" SecRule XML://methodName/text() "@contains system.multicall" \ "chain,t:none,t:lowercase" SecRule &XML://member[*][name='methodName'] "@ge 10" \ "t:none"
and result of nginx test is:
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /rule.conf. Line: 1216. Column: 55. Expecting a variable, got: : ='methodName'] "@ge 10" \ in nginx.conf:34
nginx: configuration file nginx.conf test failed
Thanks in advanced for any suggestion.