Nevermind, sometimes u just got blind.

** Forgot to Include my CRS.conf in the right place **


Stephan Gomes Higuti

On 26 March 2014 14:10, Stephan Gomes Higuti <> wrote:
Well, i kind of noticed whats happening.
Here's the log:

[26/Mar/2014:13:38:05 --0300] UzMCbawQD8oAAAYqzQMAAAAA 56571 80
GET /index.htm?cmd=../../../bin/bash HTTP/1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=241360528.1964874999.1394711819.1395837679.1395851219.42; __utmb=241360528.1.10.1395851219; __utmc=241360528; __utmz=241360528.1394711819.1.1.utmcsr=(direc
Via: 1.1 (squid/2.7.STABLE6)
Cache-Control: no-cache, max-age=0
Connection: keep-alive
X-Forwarded-For: aaa.bbb.ccc.ddd

HTTP/1.1 200 OK
Last-Modified: Wed, 19 Feb 2014 14:13:49 GMT
ETag: "d81ac-0-4f2c2ff62f80a"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive


Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_30_http_policy.conf"
] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
Message: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.0"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]
Message: Warning. Pattern match "\\W{4,}" at ARGS:cmd. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ../../../ found within ARGS:cmd: ../../../bin/bash"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]
Message: Warning. Pattern match "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)| ..." at REQUEST_URI. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_42_tight_security.conf"] [line "20"] [id "950103"] [rev "2"] [msg "Path Traversal Attack"] [data "Matched Data: /../ found within REQUEST_URI: /index.htm?cmd=../../../bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "7"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"]
Apache-Handler: proxy-server
Stopwatch: 1395851885242220 40342 (- - -)
Stopwatch2: 1395851885242220 40342; combined=4703, p1=1035, p2=3467, p3=1, p4=158, p5=42, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (
Server: Apache/2.4.6 (Linux/SUSE)
Engine-Mode: "ENABLED"


Well, for what I saw, the modes of operation will depend in what you configured in your crs.conf file.
My default action is deny.

SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"

Even with this sets, I still got the warning messages when I was supposed to get the "Access Denied".


Stephan Gomes Higuti

On 26 March 2014 11:11, Stephan Gomes Higuti <> wrote:
Hi Josh.

I did compile the newest version of ModSecurity, it is working now, however, it detects the "attacks" but is not blocking, and I've got "SecRuleEngine On".

[Wed Mar 26 11:06:14.579020 2014] [:error] [pid 32447] [client] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v
f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)| ..." at REQUEST_URI. [file "/etc/apache2/owasp-crs/base_rules/modsecurity_crs_42_tight_security.conf"] [line "20"] [id "950103"] [rev 
"2"] [msg "Path Traversal Attack"] [data "Matched Data: /../ found within REQUEST_URI: /README.html?cmd=../../../bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] 
[maturity "9"] [accuracy "7"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname ""] [uri "/README.html"] [unique_id "UzLe1qwQD8oAAH6-LbUAAAAE"]

This rule is supposed to block the access isn't?
Any idea?

Thank you.


Stephan Gomes Higuti

On 26 March 2014 08:22, Josh Amishav-Zlatin <> wrote:
On Wed, Mar 26, 2014 at 08:10:20AM -0300, Stephan Gomes Higuti wrote:
> But "ver" its not an action, so, I thinking that it may have some issues
> about using this version of ModSecurity with the newest version of CRS,
> Anyone knows if this should work or its really expected to happen this
> issue?

Hi Stephan,

Take a look at:

The ver action is only supported from ModSec v2.7 and later.

Are you able to compile the latest version of ModSec? There have been
several improvements since 2.6.7.

Josh Amishav-Zlatin
CTO | Wafsec

The WAF is free, your time isn't

Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: