OWASP ModSecurity Core Rule Set V3.0 breaks after every update

[artidens]

When I run "/usr/local/cpanel/scripts/modsec_vendor update OWASP3" I get the following errors:

The system failed to update the vendor from the URL http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml
warn [modsec_vendor] The system failed to update the vendor from the URL http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml

Also, Apache fails to restart because of missing OWASP3 rules:

Syntax error on line 259 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf:
Syntax error on line 29 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf:
Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-901-INITIALIZATION.conf: No such file or directory

The folder /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules becomes empty. To fix this, I must go to WHM -> Security Center -> ModSecurity Vendors and click "Install" on the OWASP3 as it has become uninstalled. This happens basically every night after the WHM update so I have to manually fix it to get Apache running again. Any help?

 

[cPanelLauren]

Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[dialhost]

Hello,

Did you have any solution for this problem?
I had this problem today in the automatic update and apache failed.

When checking the update files I noticed several files with the extension conf.BAD

http://httpupdate.cpanel.net/modsecurity-rules/OWASP3_1501094486.zip

Even if you download this .zip file at this moment you will see these files.
Is this correct?

If there is any solution, please let me know, as I am looking into it to resolve this issue.

Thanks.

 

[cPRex]

@dialhost - if the files are included in the official package from the httpupdate server, they are valid and part of the update. I checked the file on my end and confirmed it just looks like an older version of the configuration.