Can you send the audit_log data for this request?  It would help to diagnose as the short error_log message doesn’t always provide enough info.  


FYI – for false positive hits on Cookie data, sometimes a work around is to exclude REQUEST_HEADERS:Cookie from the ARG list and instead use REQUEST_COOKIES.  The difference is that the latter is parsed into separate param=value pairs while the former is inspected as one long value.  This most often will false on OS command injection rules since the cookie separator is “;”.


Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead

Author: Preventing Web Attacks with Apache



From: [] On Behalf Of Michael Bond
Sent: Tuesday, September 18, 2007 1:41 PM
Subject: [mod-security-users] Exclusion problem



I am getting the following in my error logs for a valid login to a 3rd party application:


I've replaced the actual IP address with "SOURCE_IP" and the actual hostname with "DOMAIN_NAME"


[error] [client SOURCE_IP] ModSecurity: Access denied with code 400 (phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id "950910"] [msg "HTTP Response Splitting Attack. Matched signature <%0a>"] [severity "ALERT"] [hostname "DOMAIN_NAME"] [uri "/logged_in?portal_status_message=Welcome%21+You+are+now+logged+in."] [unique_id "vRcFV5226CYAAG@oHHsAAAAq"]


I'm trying to come up with a SecRule that will allow this through, but only for this virtual host.