Re: [mod-security-users] mod_security rule id: 960911 question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Another reason that this rule may trigger a lot is a client generating a
lot of HTTP 0.9 requests that do not have the version part at all. The
request would than look like:

GET /

Most notoriously, Apache internal pinger issues such a request
continuously against SSL sites which we haven't compensated for yet in
the core rule set.

~ Ofer=20

Ofer Shezaf
of...@br..., Phone:+972-9-9560036 #212, Cell: +972-54-4431119
CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule
Set Project;

> -----Original Message-----
> From: mod...@li... [mailto:mod-
> sec...@li...] On Behalf Of Brian
> Rectanus
> Sent: Monday, September 24, 2007 7:34 AM
> To: hanj
> Cc: mod...@li...
> Subject: Re: [mod-security-users] mod_security rule id: 960911
question
>=20
> It is a test for a proper HTTP request line.  What is the request line
> that generates the error?  Usually I see something like this that has
> extra spaces:
>=20
> GET /some/path?a=3Dval with spaces HTTP/1.1
>=20
> which should have been:
>=20
> GET /some/path?a=3Dval%20with%20spaces HTTP/1.1
>=20
>=20
> The RE broken down and without the extra escapes from the logging:
>=20
> ^[a-z]{3,10} - 3-10 character command at start
> \s* - whitespace
> (?:\w{3,7}?\:\/\/[\w\-\.\/]*)?? - non-greedy, optional
protocol://host/
> \/[\w\-\.\/~%:@&=3D+$,;]* - URI path
> (?:\?[\S]*)?? - non-greedy, optional query string
> \s* - whitespace
> http\/\d\.\d$ - HTTP version string at the end
>=20
> later,
> -B
>=20
> hanj wrote:
> > Hello
> >
> > I was wondering if someone could explain what this rule is about? I
> keep seeing lots of alerts for this, and I'm thinking they might be
> false positives.
> >
> > [Sun Sep 23 20:02:36 2007] [error] [client 69.xxx.xxx.xxx]
> ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^[a-
> z]{3,10}\\\\s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-
> \\\\.\\\\/]*)??\\\\/[\\\\w\\\\-
>
\\\\.\\\\/~%:@&=3D+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\\.\\\\d=

> $" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP
> Request Line"] [severity "CRITICAL"] [hostname "www.mydomain.com"]
[uri
>
"/[object%20Image],[object%20Image],[object%20Image],[object%20Image]le
> ft2.gif"] [unique_id "A7VhiEE9nXMAAA26MjgAAAAB"]
> >
> > I'm running the following:
> > mod_security-2.1.2
> > apache-2.2.6
> >
> > Thanks!
> > hanj
> >
> >
---------------------------------------------------------------------
> ----
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2005.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>=20
>=20
> --
> Brian Rectanus
> Breach Security
>=20
>
-----------------------------------------------------------------------
> --
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users