Re: [mod-security-users] Perplexing Issue: "400 Bad Request"
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Perplexing Issue: "400 Bad Request"
|
From: Gaurav K. <gk...@pi...> - 2010-05-07 19:46:35
|
Just a thought - how about running the traffic through some sniffer like wireshark or perhaps Fiddler/burp etc on client side to see if web server really sent out those code 400 response. It could be possible that Apache is sending out these 400 responses too in addition to correct (or expected) response and the web browser is not honoring the 400 responses. Above test will also give you insight into whether header was actually missing or not. Good luck, Gaurav Kumar On Fri, May 7, 2010 at 10:09 AM, Art Age Software <art...@gm...>wrote: > I've been using mod-security successfully for a couple years now as an > additional layer of protection for a web-based app. Recently, a new > behavior has emerged that I do not understand. I am using core > ruleset/1.6.1 and have made no changes to this configuration for > several months, so I do not know why this behavior has suddenly > emerged. > > What is happening, according to the logs, is that certain requests are > being rejected with "Access denied with code 400 (Request Missing a > User Agent Header)." However, these log entries are immediately > preceded by successful GETs from the same IP address. I have followed > up with the users behind these IP addresses and all report **no** > strange behavior and **none** is seeing a "400 Bad Request" error page > or any similar error page. In other words, they all report that the > application is performing perfectly normally. > > Mod-security is definitely "On" and the apache web logs also show that > these requests are being rejected with status code 400. I have > included an example (partially scrubbed) of the log entries for one > such instance below. If anybody has any idea for what could possibly > be going on here, I would appreciate hearing it. Thanks. > > ------ > > Mod-security Log Entries: > > --986cbd32-A-- > [07/May/2010:16:39:53 +0000] tWCnzAoABQMAABVYW3wAAAAu xxx.xxx.xxx.xxx > 50018 yyy.yyy.yyy.yyy 80 > --986cbd32-B-- > GET /this/page HTTP/1.1 > Host: my.domain.com > Accept: */* > > --986cbd32-F-- > HTTP/1.1 400 Bad Request > Set-Cookie: SESSID=vlu8kib6b2ovekkbad8mnc43c3; path=/; domain=.domain.com > Expires: Fri, 31 Dec 1999 23:59:59 GMT > Cache-Control: max-age=0, must-revalidate, no-cache, post-check=0, > pre-check=0 > Pragma: no-cache > Vary: User-Agent > Content-Length: 3887 > Connection: close > Content-Type: text/html; charset=UTF-8 > > --986cbd32-H-- > Message: Access denied with code 400 (phase 2). Operator EQ matched 0 > at REQUEST_HEADERS. [file > "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] > [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] > [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] > Action: Intercepted (phase 2) > Stopwatch: 1273250392877004 127315 (347 525 -) > Producer: ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/); > core ruleset/1.6.1; core ruleset/1.6.1. > Server: Apache > > --986cbd32-K-- > SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" > > "phase:2,status:400,t:lowercase,t:replaceNulls,t:compressWhitespace,chain,t:none,deny,log,auditlog,msg:'GET > or HEAD requests with > bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" > SecRule "&REQUEST_HEADERS:User-Agent" "@eq 0" > > "phase:2,status:400,t:lowercase,t:replaceNulls,t:compressWhitespace,t:none,deny,log,auditlog,msg:'Request > Missing a User Agent > Header',id:960009,tag:PROTOCOL_VIOLATION/MISSING_HEADER,severity:4" > SecRule "RESPONSE_STATUS" "@rx ^400$" > > "phase:5,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace,t:none,chain,log,auditlog,pass,msg:'Invalid > request',id:960913,severity:2" > SecRule "RESPONSE_STATUS" "@rx ^400$" > > "phase:5,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace,t:none,chain,log,auditlog,pass,msg:'Invalid > request',id:960913,severity:2" > > --986cbd32-Z-- > > > Apache Error Log Entry: > > [Fri May 07 16:39:52 2010] [error] [client xxx.xxx.xxx.xxx] > ModSecurity: Access denied with code 400 (phase 2). Operator EQ > matched 0 at REQUEST_HEADERS. [file > "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] > [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] > [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] > [hostname "my.domain.com"] [uri "/this/page"] [unique_id > "tWCnzAoABQMAABVYW3wAAAAu"] > > > Apache Access Log Entry: > > my.domain.com xxx.xxx.xxx.xxx - - [07/May/2010:16:39:52 +0000] "GET > /this/page HTTP/1.1" 400 3887 "-" "-" > > > ------------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > |
