mod_security: another rule with same ID
Solution 1
I ran into a similar problem while following a tutorial - http://www.tecmint.com/protect-apache-using-mod_security-and-mod_evasive-on-rhel-centos-fedora/
My httpd.conf file already had an include for *.conf and the tutorial had me explicitly include the modsecurity.conf file. As a result, all my rules were duplicates because the conf file was included twice.
Solution 2
It's hard to say exactly where the duplication is occurring based on the information you've provided. Essentially, a rule is being included twice which is usually defined within the modsecurity.conf
file. You may be including this file twice, or you have copied its content into another apache conf file. To find the problem, you'll need to search for the duplicate rule. Here's a command that'll do that:
find /etc/httpd -name '*.conf' -exec grep -H "'200000'" {} \;
Once you discover which other file contains the rule (or perhaps its inside modsecurity.conf
twice), you'll need to think of a way to organize your rules in a way so that the rules are not included twice. These instructions provide a good basis for using the OWASP ModSecurity Core Rule Set.
Related videos on Youtube
Ashish
Updated on September 18, 2022Comments
-
Ashish almost 2 years
I have installed httpd 2.2.15 on CentOS 6.5 (minimal installation with no cPanel) with modsecurity 2.8. When I am starting httpd I am getting this error:
Starting httpd: Syntax error on line 23 of /etc/httpd/conf.d/modsecurity.conf: ModSecurity: Found another rule with the same id
The line 23 is:
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
-
Panther about 10 yearsFile a bug report against mod-security in Centos and you can try editing that line and give the rule a unique number. You can probably continue to use mod-security without giving the rule a unique name, it may make reading the logs a bit more difficult as any violation of 200000 may not have the correct information.
-
Ashish about 10 yearsI tried changing rule number and still that errror.
-
Panther about 10 yearsYou have to use a unique number, try another one. Alternately download a new rule set from mod security or comment out the rule in question.
-