Can you send the audit_log data for this
request? It would help to diagnose as the short error_log message doesn’t
always provide enough info.
FYI – for false positive hits on
Cookie data, sometimes a work around is to exclude REQUEST_HEADERS:Cookie from
the ARG list and instead use REQUEST_COOKIES. The difference is that the
latter is parsed into separate param=value pairs while the former is inspected
as one long value. This most often will false on OS command injection rules
since the cookie separator is “;”.
Ryan C. Barnett
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
[mailto:firstname.lastname@example.org] On Behalf Of Michael Bond
Sent: Tuesday, September 18, 2007
I am getting the following in my error logs for a valid login to a 3rd
I've replaced the actual IP address with "SOURCE_IP" and the
actual hostname with "DOMAIN_NAME"
[error] [client SOURCE_IP] ModSecurity: Access denied with code 400
(phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id
"950910"] [msg "HTTP Response Splitting Attack. Matched
signature <%0a>"] [severity "ALERT"] [hostname
"DOMAIN_NAME"] [uri "/logged_in?portal_status_message=Welcome%21+You+are+now+logged+in."]
I'm trying to come up with a SecRule that will allow this through, but
only for this virtual host.