Hi. I'm not too expert in modsecurity debugging log but you should be able to find rule id which trigger unauthorized response. Here there is a rule which behaviour in similar way: http://owasp.com/index.php/ModSecurity_CRS_RuleID-960000. Try to comment the same id and check if you keep watching those warnings. If you keep with that error uncomment it again.

Kind regards

El 02/08/2013 14:04, "Schöke, Karsten" <Karsten.Schoeke@geobasis-bb.de> escribió:

i have a mod_security 2.5.12-1+squeeze2 with core rules.

Many messages are log on Server in this format:

[02/Aug/2013:10:20:20 +0200] UftrxAqFA3YAACrPHeAAAAAQ 3773 443
GET /wss/service/WMS-ALKIS/httpauth?VERSION=1.1.1&REQUEST=GetMap&SRS=EPSG:25833&BBOX=301915.456861387,5881998.64671762,302211.339056303,5882183.43477503&WIDTH=1335&HEIGHT=834&LAYERS=adv_alkis_flurstuecke&STYLES=&EXCEPTIONS=application/vnd.ogc.se_xml&FORMAT=image/png&BGCOLOR=0xFFFFFF&TRANSPARENT=TRUE HTTP/1.1
Accept: */*
Referer: http://www.esri.com/38AABB31-1E7D-44DF-8F82-D62EA543888C
: ArcGIS Client Using WinInet
Host: server.de
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic Realm="Die Nutzung dieses Dienstes erfordert eine Authentifizierung!"
Content-Length: 954
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=utf-8

Apache-Handler: jakarta-servlet
Stopwatch: 1375431620291293 65220 (1274 64299 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/1.6.1; core ruleset/2.0.5.
Server: Apache


I don’t find any rule for this event.
How can exit this from log?


Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: