Re: [mod-security-users] mod_security rule id: 960911 question
Brought to you by:
victorhora,
zimmerletw
From: Ofer S. <OferS@Breach.com> - 2007-09-24 07:50:48
|
Another reason that this rule may trigger a lot is a client generating a lot of HTTP 0.9 requests that do not have the version part at all. The request would than look like: GET / Most notoriously, Apache internal pinger issues such a request continuously against SSL sites which we haven't compensated for yet in the core rule set. ~ Ofer=20 Ofer Shezaf of...@br..., Phone:+972-9-9560036 #212, Cell: +972-54-4431119 CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set Project; > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Brian > Rectanus > Sent: Monday, September 24, 2007 7:34 AM > To: hanj > Cc: mod...@li... > Subject: Re: [mod-security-users] mod_security rule id: 960911 question >=20 > It is a test for a proper HTTP request line. What is the request line > that generates the error? Usually I see something like this that has > extra spaces: >=20 > GET /some/path?a=3Dval with spaces HTTP/1.1 >=20 > which should have been: >=20 > GET /some/path?a=3Dval%20with%20spaces HTTP/1.1 >=20 >=20 > The RE broken down and without the extra escapes from the logging: >=20 > ^[a-z]{3,10} - 3-10 character command at start > \s* - whitespace > (?:\w{3,7}?\:\/\/[\w\-\.\/]*)?? - non-greedy, optional protocol://host/ > \/[\w\-\.\/~%:@&=3D+$,;]* - URI path > (?:\?[\S]*)?? - non-greedy, optional query string > \s* - whitespace > http\/\d\.\d$ - HTTP version string at the end >=20 > later, > -B >=20 > hanj wrote: > > Hello > > > > I was wondering if someone could explain what this rule is about? I > keep seeing lots of alerts for this, and I'm thinking they might be > false positives. > > > > [Sun Sep 23 20:02:36 2007] [error] [client 69.xxx.xxx.xxx] > ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^[a- > z]{3,10}\\\\s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\- > \\\\.\\\\/]*)??\\\\/[\\\\w\\\\- > \\\\.\\\\/~%:@&=3D+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\\.\\\\d= > $" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP > Request Line"] [severity "CRITICAL"] [hostname "www.mydomain.com"] [uri > "/[object%20Image],[object%20Image],[object%20Image],[object%20Image]le > ft2.gif"] [unique_id "A7VhiEE9nXMAAA26MjgAAAAB"] > > > > I'm running the following: > > mod_security-2.1.2 > > apache-2.2.6 > > > > Thanks! > > hanj > > > > --------------------------------------------------------------------- > ---- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2005. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 >=20 > -- > Brian Rectanus > Breach Security >=20 > ----------------------------------------------------------------------- > -- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |