Can you send the audit_log data for this request?  It would help to diagnose as the short error_log message doesn’t always provide enough info.  

 

FYI – for false positive hits on Cookie data, sometimes a work around is to exclude REQUEST_HEADERS:Cookie from the ARG list and instead use REQUEST_COOKIES.  The difference is that the latter is parsed into separate param=value pairs while the former is inspected as one long value.  This most often will false on OS command injection rules since the cookie separator is “;”.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Michael Bond
Sent: Tuesday, September 18, 2007 1:41 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] Exclusion problem

 

 

I am getting the following in my error logs for a valid login to a 3rd party application:

 

I've replaced the actual IP address with "SOURCE_IP" and the actual hostname with "DOMAIN_NAME"

 

[error] [client SOURCE_IP] ModSecurity: Access denied with code 400 (phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id "950910"] [msg "HTTP Response Splitting Attack. Matched signature <%0a>"] [severity "ALERT"] [hostname "DOMAIN_NAME"] [uri "/logged_in?portal_status_message=Welcome%21+You+are+now+logged+in."] [unique_id "vRcFV5226CYAAG@oHHsAAAAq"]

 

I'm trying to come up with a SecRule that will allow this through, but only for this virtual host. 

 

Mike.