On Thu, May 15, 2014 at 9:16 AM, Ehsan Mahdavi <ehsan.mahdavi@gmail.com> wrote:
Hi all

On a specific domain, No matter how big I define variables like "arg_name_length", "arg_length" and etc, am getting tons of false positives by id 960209 (message:Argument name too long). This is while I am sure that the arguments name lengths are barely up to 10.

e.g: for the request "GET /home/balancer/balancer.aspx?vv=2&cost=main HTTP/1.1" am getting this message for the arguments vv and cost.
As you can see their lengths are 2 and 4 respectively, and if one peruses the the log parts(end of this message) he/she can find that I even tried to adjust the variables by using ultra large values.

Is this a mod-security bug or what?

Hi Ehsan,

It looks like you fat fingered the tx.arg_name_length variable in rule 900007, which is used by rule 960209 to set the allowed length. You have:

SecAction "phase:1,id:900007,t:none,setvar:tx.arg_name_length==100000,nolog,pass"

The double == should be replaced with 

SecAction "phase:1,id:900007,t:none,setvar:tx.arg_name_length=100000,nolog,pass"

--
 - Josh


 
Are there any remedies for this problem or I just must use removeRuleByID?

P.S. you can find the raw event log for this transaction at the end of this message.
P.S. Am using modsecurity 2.7.7-2 (CRS 2.2.9) on a ubuntu 14.04 X64.
--
                    regards
                 Ehsan.Mahdavi


--U3OJSn8AAAEAACv1bKMAAABA-A--
[14/May/2014:08:18:39 --0700] U3OJSn8AAAEAACv1bKMAAABA 192.168.0.102 37398 192.168.0.199 80
--U3OJSn8AAAEAACv1bKMAAABA-B--
GET /home/balancer/balancer.aspx?vv=2&cost=main HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US,en;q=0.7,fa;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: *************************
DNT: 1
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=nnif0v55mdqt4h554fc0goqv

--U3OJSn8AAAEAACv1bKMAAABA-E--

--U3OJSn8AAAEAACv1bKMAAABA-F--
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE9
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked

--U3OJSn8AAAEAACv1bKMAAABA-H--
Message: Warning. Operator GT matched 0 at ARGS_NAMES:vv. [file "***************************************************"] [line "23"] [id "960209"] [rev "2"] [msg "Argument name too long"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/SIZE_LIMIT"]
Message: Warning. Operator GT matched 0 at ARGS_NAMES:cost. [file "*************************************************"] [line "23"] [id "960209"] [rev "2"] [msg "Argument name too long"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/SIZE_LIMIT"]
Apache-Handler: proxy-server
Stopwatch: 1400080714382495 5378219 (- - -)
Stopwatch2: 1400080714382495 5378219; combined=2231, p1=441, p2=1498, p3=10, p4=80, p5=116, sr=139, sw=86, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.7.
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "DETECTION_ONLY"

--U3OJSn8AAAEAACv1bKMAAABA-K--
SecAction "phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"

SecAction "phase:1,id:900002,t:none,setvar:tx.inbound_anomaly_score_level=20,nolog,pass"

SecAction "phase:1,id:900003,t:none,setvar:tx.outbound_anomaly_score_level=16,nolog,pass"

SecAction "phase:1,id:900004,t:none,setvar:tx.outbound_anomaly_score_level=setvar:tx.anomaly_score_blocking=on,nolog,pass"

SecAction "phase:1,id:900006,t:none,setvar:tx.max_num_args=25500,nolog,pass"

SecAction "phase:1,id:900007,t:none,setvar:tx.arg_name_length==100000,nolog,pass"

SecAction "phase:1,id:900008,t:none,setvar:tx.arg_length=100000,nolog,pass"

SecAction "phase:1,id:900009,t:none,setvar:tx.total_arg_length=640000,nolog,pass"

SecAction "phase:1,id:900010,t:none,setvar:tx.max_file_size=1048576,nolog,pass"

SecAction "phase:1,id:900011,t:none,setvar:tx.combined_file_sizes=1048576,nolog,pass"

SecAction "phase:1,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST',setvar:tx.allowed_request_content_type=application/json|application/x-amf|application/x-www-form-urlencoded|application/xml|multipart/form-data|text/xml,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass"

SecAction "phase:1,id:900015,t:none,setvar:tx.dos_burst_time_slice=60,setvar:tx.dos_counter_threshold=60,setvar:tx.dos_block_timeout=180,nolog,pass"

SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"

SecRule "&TX:REAL_IP" "@eq 0" "phase:1,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"

SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:1,log,msg:'GET or HEAD Request with Body Content.',severity:2,id:960011,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
#SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^0?$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"

SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:1,log,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"
#SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^0$" "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "&TX:MAX_FILE_SIZE" "@eq 1" "phase:1,log,chain,t:none,block,msg:'Uploaded file size too large',id:960342,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "REQUEST_HEADERS:Content-Type" "@beginsWith multipart/form-data" "chain"
#SecRule "REQUEST_HEADERS:Content-Length" "@gt %{tx.max_file_size}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Missing an Accept Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
#SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Has an Empty Accept Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"
#SecRule "REQUEST_HEADERS:Accept" "@rx ^$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "&TX:ARG_NAME_LENGTH" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Argument name too long',id:960209,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
SecRule "ARGS_NAMES" "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "&TX:ARG_LENGTH" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Argument value too long',id:960208,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "ARGS" "@gt %{tx.arg_length}" "t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Too many arguments in request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "&ARGS" "@gt %{tx.max_num_args}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "&TX:TOTAL_ARG_LENGTH" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Total arguments size exceeded',id:960341,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "ARGS_COMBINED_SIZE" "@gt %{tx.total_arg_length}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "&TX:COMBINED_FILE_SIZES" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Total uploaded files size too large',id:960343,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "FILES_COMBINED_SIZE" "@gt %{tx.combined_file_sizes}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" "phase:2,log,chain,capture,setvar:tx.extension=.%{tx.1}/,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:2,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960035,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,logdata:%{TX.0}"
#SecRule "TX:EXTENSION" "@within %{tx.restricted_extensions}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,id:981133,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"

SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,id:981133,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"

SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,id:981133,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"

SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,id:981300,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'"

SecRule "&TX:PM_XSS_SCORE" "@eq 0" "phase:2,id:981018,t:none,skipAfter:END_XSS_CHECK,nolog"

SecRule "TX:ANOMALY_SCORE" "@gt 0" "phase:2,chain,id:981175,t:none,deny,log,msg:'Inbound Attack Targeting OSVDB Flagged Resource.',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
#SecRule "RESOURCE:OSVDB_VULNERABLE" "@eq 1" "chain"
#SecRule "TX:ANOMALY_SCORE_BLOCKING" "@streq on"

SecRule "TX:ANOMALY_SCORE" "@gt 0" "phase:2,chain,id:981176,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
#SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_level}" "chain"
#SecRule "TX:ANOMALY_SCORE_BLOCKING" "@streq on" "chain"
#SecRule "TX:/^\\d+\\-/" "@rx (.*)"

SecRule "RESPONSE_BODY" "!@pm iframe" "phase:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK"

SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" "phase:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK"

SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$" "phase:5,id:981047,t:none,nolog,pass,setvar:ip.dos_counter=+1"


--U3OJSn8AAAEAACv1bKMAAABA-Z--


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/