Thread: [mod-security-users] mod_security rule id: 960911 question
Brought to you by:
victorhora,
zimmerletw
From: hanj <ma...@as...> - 2007-09-24 03:52:01
|
Hello I was wondering if someone could explain what this rule is about? I keep seeing lots of alerts for this, and I'm thinking they might be false positives. [Sun Sep 23 20:02:36 2007] [error] [client 69.xxx.xxx.xxx] ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\\s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\\\w\\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\\.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP Request Line"] [severity "CRITICAL"] [hostname "www.mydomain.com"] [uri "/[object%20Image],[object%20Image],[object%20Image],[object%20Image]left2.gif"] [unique_id "A7VhiEE9nXMAAA26MjgAAAAB"] I'm running the following: mod_security-2.1.2 apache-2.2.6 Thanks! hanj |
From: Brian R. <Bri...@br...> - 2007-09-24 05:34:33
|
It is a test for a proper HTTP request line. What is the request line that generates the error? Usually I see something like this that has extra spaces: GET /some/path?a=val with spaces HTTP/1.1 which should have been: GET /some/path?a=val%20with%20spaces HTTP/1.1 The RE broken down and without the extra escapes from the logging: ^[a-z]{3,10} - 3-10 character command at start \s* - whitespace (?:\w{3,7}?\:\/\/[\w\-\.\/]*)?? - non-greedy, optional protocol://host/ \/[\w\-\.\/~%:@&=+$,;]* - URI path (?:\?[\S]*)?? - non-greedy, optional query string \s* - whitespace http\/\d\.\d$ - HTTP version string at the end later, -B hanj wrote: > Hello > > I was wondering if someone could explain what this rule is about? I keep seeing lots of alerts for this, and I'm thinking they might be false positives. > > [Sun Sep 23 20:02:36 2007] [error] [client 69.xxx.xxx.xxx] ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\\s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\\\w\\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\\.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP Request Line"] [severity "CRITICAL"] [hostname "www.mydomain.com"] [uri "/[object%20Image],[object%20Image],[object%20Image],[object%20Image]left2.gif"] [unique_id "A7VhiEE9nXMAAA26MjgAAAAB"] > > I'm running the following: > mod_security-2.1.2 > apache-2.2.6 > > Thanks! > hanj > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- Brian Rectanus Breach Security |
From: Ofer S. <OferS@Breach.com> - 2007-09-24 07:50:48
|
Another reason that this rule may trigger a lot is a client generating a lot of HTTP 0.9 requests that do not have the version part at all. The request would than look like: GET / Most notoriously, Apache internal pinger issues such a request continuously against SSL sites which we haven't compensated for yet in the core rule set. ~ Ofer=20 Ofer Shezaf of...@br..., Phone:+972-9-9560036 #212, Cell: +972-54-4431119 CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set Project; > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Brian > Rectanus > Sent: Monday, September 24, 2007 7:34 AM > To: hanj > Cc: mod...@li... > Subject: Re: [mod-security-users] mod_security rule id: 960911 question >=20 > It is a test for a proper HTTP request line. What is the request line > that generates the error? Usually I see something like this that has > extra spaces: >=20 > GET /some/path?a=3Dval with spaces HTTP/1.1 >=20 > which should have been: >=20 > GET /some/path?a=3Dval%20with%20spaces HTTP/1.1 >=20 >=20 > The RE broken down and without the extra escapes from the logging: >=20 > ^[a-z]{3,10} - 3-10 character command at start > \s* - whitespace > (?:\w{3,7}?\:\/\/[\w\-\.\/]*)?? - non-greedy, optional protocol://host/ > \/[\w\-\.\/~%:@&=3D+$,;]* - URI path > (?:\?[\S]*)?? - non-greedy, optional query string > \s* - whitespace > http\/\d\.\d$ - HTTP version string at the end >=20 > later, > -B >=20 > hanj wrote: > > Hello > > > > I was wondering if someone could explain what this rule is about? I > keep seeing lots of alerts for this, and I'm thinking they might be > false positives. > > > > [Sun Sep 23 20:02:36 2007] [error] [client 69.xxx.xxx.xxx] > ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^[a- > z]{3,10}\\\\s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\- > \\\\.\\\\/]*)??\\\\/[\\\\w\\\\- > \\\\.\\\\/~%:@&=3D+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\\.\\\\d= > $" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP > Request Line"] [severity "CRITICAL"] [hostname "www.mydomain.com"] [uri > "/[object%20Image],[object%20Image],[object%20Image],[object%20Image]le > ft2.gif"] [unique_id "A7VhiEE9nXMAAA26MjgAAAAB"] > > > > I'm running the following: > > mod_security-2.1.2 > > apache-2.2.6 > > > > Thanks! > > hanj > > > > --------------------------------------------------------------------- > ---- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2005. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 >=20 > -- > Brian Rectanus > Breach Security >=20 > ----------------------------------------------------------------------- > -- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |