Thanks.

On 3/29/07, Ryan Barnett <Ryan.Barnett@breach.com> wrote:

One other follow-up – for anyone that is playing around with the RegEx values, you really should get one of the cool RegEx GUI tools available to help you.  Please see Ofer's latest Blog post - http://www.modsecurity.org/blog/archives/2007/03/regular_express.html .  These tools tremendously help to trouble-shoot and verify that your RegEx values will indeed match the target request data.

 

The other important method to use is to turn up the debug log level and submit requests with your new RegEx and see if it matches in the debug log.  This is an important step outlined in this Blog post - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html .

 

Thanks.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

 

--------------

Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:

http://www.breach.com/webinars.asp

--------------

 


From: Ryan Barnett
Sent: Thursday, March 29, 2007 2:41 PM
To: Tomer Okavi; mod-security-users@lists.sourceforge.net
Subject: RE: [mod-security-users] GET or HEAD requests with bodies

 

The following rule should work to catch any Content-Length headers other than 0 or 1 that are included with GET or HEAD requests -

 

SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,pass,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^[01]?$"

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

 

--------------

Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:

http://www.breach.com/webinars.asp

--------------

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Tomer Okavi
Sent: Thursday, March 29, 2007 2:29 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] GET or HEAD requests with bodies

 

Hi all

using modsecurity 2.1.0
Some web clients (Mobile CE/.NET) add "Content-Length: 1" in GET requests instead of leaving it blank
will this change to ruleid 960011 do the trick and allow the request?

Original rule -->
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,pass,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"


SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,pass,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?^1?$"

Thanks


Tomer.