The following rule should work to catch any Content-Length headers other than 0 or 1 that are included with GET or HEAD requests -

 

SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,pass,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^[01]?$"

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

 

--------------

Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:

http://www.breach.com/webinars.asp

--------------

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Tomer Okavi
Sent: Thursday, March 29, 2007 2:29 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] GET or HEAD requests with bodies

 

Hi all

using modsecurity 2.1.0
Some web clients (Mobile CE/.NET) add "Content-Length: 1" in GET requests instead of leaving it blank
will this change to ruleid 960011 do the trick and allow the request?

Original rule -->
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,pass,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"


SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,pass,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?^1?$"

Thanks


Tomer.