Failed to open file: scanners-user-agents.data

[GainfulShrimp]

I thought this was probably an issue with the rules, as my new ModSecurity v3 installation (with nginx connector) seems to work with an example test rule. This rule works fine on its own, and the expected 403 response is returned:

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"

But I'm now thinking this is a ModSecurity issue, as CRS v3.0.2 (which I'm using) is a couple of months old, but I can't find any reports of the error that I'm seeing when I test my CRS-included nginx config:

pi@pi2:~ $ sudo nginx -t
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/crs/rules/REQUEST-913-SCANNER-DETECTION.conf. Line: 33. Column: 34. Failed to open file: scanners-user-agents.data. Looking at: 'scanners-user-agents.data',   in /etc/nginx/conf.d/ghost-proxy.conf:17
nginx: configuration file /etc/nginx/nginx.conf test failed

Here's my nginx version and compilation options:

nginx version: nginx/1.13.9
built by gcc 6.3.0 20170516 (Raspbian 6.3.0-18+rpi1)
built with OpenSSL 1.1.0g  2 Nov 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --with-cc-opt='-O3 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --with-pcre=/usr/local/src/nginx/build/pcre-8.41 --with-zlib=/usr/local/src/nginx/build/zlib-1.2.11 --with-openssl-opt='no-weak-ssl-ciphers no-ssl3 no-shared -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong' --with-openssl=/usr/local/src/nginx/build/openssl-1.1.0g --add-module=/usr/local/src/nginx/build/ngx_devel_kit-0.3.0 --add-module=/usr/local/src/nginx/build/set-misc-nginx-module-0.31 --add-module=/home/pi/ngx_brotli --add-module=/usr/local/src/ModSecurity-nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-file-aio --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-threads --without-http_empty_gif_module --without-http_split_clients_module --without-http_ssi_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module

[zimmerle]

Hi @GainfulShrimp,

Working on it.

[zimmerle]

This is actually a duplicate of #1674. It is already fixed in the main line.

[GainfulShrimp]

OK thanks @zimmerle . I thought my copy of ModSecurity v3 was newer than the commit that's referenced, but I might be wrong; I'll fetch a fresh ModSecurity clone from v3/master and recompile, then try again.

Do I need to also recompile nginx with ModSecurity-nginx connector, or will restarting nginx be sufficient to pick up the new ModSecurity?

[zimmerle]

only libModSecurity should be enough.

[GainfulShrimp]

Thanks again @zimmerle. It worked a treat this time! :)

Just added my first exception: telegraf, running on my monitoring server (which regularly requests the nginx status stub page, to parse into influxdb) was triggering warnings every 10 seconds in the modsec_audit.log. Now fixed.

[zimmerle]

good to hear ;)