ModSecurity: No action id present within the rule

I’m suddenly getting this error:

Syntax error on line 59 of /etc/httpd/conf.d/mod_security.conf: ModSecurity: No action id present within the rule

I applied two updates and tried to add a sub-domain and then this started popping up then I try clicking apply changes in Webmin - Servers - Apache - Apply Changes.

My new sub-domain has not taken effect and I don’t want to restart apache in case it now fails to start.

That section of mod_security show:-

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"

With the last line being line 59.

Any help would be greatly appreciated.

Server Info:

  OS: CentOS 6 x64
  Apache Version: 2.2.15 
  Virtualmin: Latest


Well, it sounds like something either with mod_security, or the mod_security rules, changed recently.

In a pinch, you can always comment out those lines.

However, searching on the text “REQBODY_PROCESSOR_ERROR” in my mod_security rules dir, that rule on my system looks like this:

SecRule REQBODY_PROCESSOR_ERROR “!@eq 0” “t:none,phase:2,deny,log,auditlog,status:400,msg:‘Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}’,id:‘960912’,severity:‘2’”

You could always see if using that works for you. Different mod_security versions use different syntax, so it’s possible that neither of the above is correct for your version :slight_smile: But it can’t hurt to try that out.


Seems like I’m missing the ID param in my rules somehow.

Can you copy - paste the whole file? What OS are you on?

Well, the ruleset I’m using on my Ubuntu system appears to be organized a different way than what you’re using. So it may not work on your system to just copy that file.

However, you can see the current mod_security rules here:

The one that you’re looking for is part of the file “modsecurity_crs_20_protocol_violations.conf”.


Super, those rules work fine.

It is actually much larger than the default one I was using which I guess is a good thing.

Many thanks!