Re: [mod-security-users] Whitespace in HTTP protocol field triggering rule?
Brought to you by:
victorhora,
zimmerletw
From: Josh Amishav-Z. <ja...@gm...> - 2011-02-25 06:20:23
|
On Fri, Feb 25, 2011 at 3:10 AM, Ray Van Dolson <rva...@es...> wrote: > Yes, OWA :) I should be able to upgrade ModSec and the CRS, but would > be interested in a short-term fix short of disabling this rule if > possible... Short term solution of disabling the rule would be adding the following rule after the initial rule was created: SecRuleUpdateActionById 960034 -- - Josh > > --67ab7c13-A-- > [24/Feb/2011:17:07:44 --0800] TWcA4MZmIzMAADIaAu8AAAJ7 xx.xxx.xx.xx 35033 xxx.xxx.xx.xx 443 > --67ab7c13-B-- > PROPFIND /exchange/tom brown HTTP/1.1 > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) > Connection: Keep-Alive > Depth: 0 > Content-Type: text/xml > Brief: t > Cache-Control: no-cache > Host: host.domain.com > Content-Length: 160 > > --67ab7c13-C-- > <?xml version="1.0"?> > <D:propfind xmlns:D="DAV:" xmlns:hm="urn:schemas:httpmail:"> > <D:prop> > <hm:inbox/> > <hm:deleteditems/> > </D:prop> > </D:propfind> > > --67ab7c13-F-- > HTTP/1.0 505 HTTP Version Not Supported > Content-Length: 610 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --67ab7c13-H-- > Message: Access denied with code 505 (phase 2). Match of "rx ^HTTP/(0\\.9|1\\.[01])$" against "REQUEST_PROTOCOL" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "86"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] > Action: Intercepted (phase 2) > Apache-Handler: proxy-server > Stopwatch: 1298596064529518 1848 (295* 770 -) > Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/1.6.1. > Server: Apache > > --67ab7c13-K-- > SecRule "REQUEST_PROTOCOL" "!@rx ^HTTP/(0\\.9|1\\.[01])$" "phase:2,t:none,deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy',severity:2,id:960034,tag:POLICY/PROTOCOL_NOT_ALLOWED,ctl:debugLogLevel=9" > > --67ab7c13-Z-- > > On Thu, Feb 24, 2011 at 05:05:41PM -0800, Ryan Barnett wrote: >> Can you show an audit log of the transaction? This is OWA, correct? >> >> Can you upgrade modsec and the CRS? >> >> -Ryan >> >> On Feb 24, 2011, at 8:01 PM, "Ray Van Dolson" <rva...@es...> wrote: >> >> > Request: >> > PROPFIND /exchange/tom brown HTTP/1.1 >> > >> > Triggering: >> > Message: Access denied with code 505 (phase 2). Match of "rx ^HTTP/(0\\.9|1\\.[01])$" against "REQUEST_PROTOCOL" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "83"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] >> > >> > Obviously the request is HTTP/1.1, but I am guessing the fact that >> > there is white space (instead of %20) between tom and brown is causing >> > "brown" to bleed into the HTTP protocol space... >> > >> > This is ModSecurity 2.5.9 with core ruleset 1.6.1. >> > >> > Is REQUEST_PROTOCOL populated by some ModSecurity logic or Apache? Any >> > suggestions on how to handle? >> > >> > Thanks, >> > Ray > > ------------------------------------------------------------------------------ > Free Software Download: Index, Search & Analyze Logs and other IT data in > Real-Time with Splunk. Collect, index and harness all the fast moving IT data > generated by your applications, servers and devices whether physical, virtual > or in the cloud. Deliver compliance at lower cost and gain new business > insights. http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > |