Re: [mod-security-users] REQBODY_ERROR
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] REQBODY_ERROR
|
From: Chaim S. <CSa...@tr...> - 2015-11-24 03:22:18
|
Christian is, as usual, correct. Some more information as I provided on
github as well. These errors occur because of an error during the request
body processors stage. In general they indicate an instance where the data
could not be properly parsed by the ModSecurity in this cae it seems that
only a partial request was received. As a result of this ModSecurity is
unable to apply the rules against the request as expected. A result of
this is that your security is not assuredŠ in general you can choose to
ignore this or force any request such as this to fail.
On 11/23/15, 10:06 AM, "Christian Folini"
<chr...@ti...> wrote:
>Yogesh,
>
>As Harald pointed out, it is likely a client went away before the
>full request was delivered.
>
>The rule 200001 is rarely triggered. Unless you have a lot of
>these alerts, I think it is safe to ignore it. If you do have more
>of these, you need to investigate further. Possibly by raising
>the LogLevel in the error-log and examining the connection.
>
>Regs,
>
>Christian
>
>On Mon, Nov 23, 2015 at 07:49:46PM +0530, Yogesh Patel wrote:
>> In modsecurity we have a rule below:
>>
>> "SecRule REQBODY_ERROR "!@eq 0" \
>> "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse
>> request body.',logdata:'%{reqbody_error_msg}',severity:2"
>>
>>
>> in mod security log following error message is detected:
>>
>> "Message: Access denied with code 400 (phase 2). Match of "eq 0"
>> against "REQBODY_ERROR" required. [file
>> "D:/tools/Apache2.4.x/conf/extra/highq/modsec/modsecurity.conf"] [line
>> "132"] [id "200001"] [msg "Failed to parse request body."] [data
>> "Error reading request body: Client went away."] [severity "CRITICAL"]
>> Action: Intercepted (phase 2)"
>>
>>
>> What could be the possible reason for this error?
>>
>>
>> --
>> *Thanks & Regards,*
>>
>> * Yogesh Patel*
>
>>
>>-------------------------------------------------------------------------
>>-----
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for
>>multiple OSs.
>>
>>http://scanmail.trustwave.com/?c=4062&d=r6zT1g1OI5BzQ2qAyiLbHnVkqhibUOHBb
>>DeUAaaoQg&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fcl
>>k%3fid%3d254741551%26iu%3d%2f4140
>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>>
>>http://scanmail.trustwave.com/?c=4062&d=r6zT1g1OI5BzQ2qAyiLbHnVkqhibUOHBb
>>GCRB_P4Ew&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
>>o%2fmod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>
>>http://scanmail.trustwave.com/?c=4062&d=r6zT1g1OI5BzQ2qAyiLbHnVkqhibUOHBb
>>DLDU6qsFw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommerc
>>ial%2frules%2f
>>
>>http://scanmail.trustwave.com/?c=4062&d=r6zT1g1OI5BzQ2qAyiLbHnVkqhibUOHBb
>>DPHAab4Qg&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommerc
>>ial%2fsupport%2f
>
>
>--------------------------------------------------------------------------
>----
>Go from Idea to Many App Stores Faster with Intel(R) XDK
>Give your users amazing mobile app experiences with Intel(R) XDK.
>Use one codebase in this all-in-one HTML5 development environment.
>Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>OSs.
>http://scanmail.trustwave.com/?c=4062&d=r6zT1g1OI5BzQ2qAyiLbHnVkqhibUOHBbD
>eUAaaoQg&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk%
>3fid%3d254741551%26iu%3d%2f4140
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=r6zT1g1OI5BzQ2qAyiLbHnVkqhibUOHBbG
>CRB_P4Ew&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>2fmod-security-users
>Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>http://scanmail.trustwave.com/?c=4062&d=r6zT1g1OI5BzQ2qAyiLbHnVkqhibUOHBbD
>LDU6qsFw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia
>l%2frules%2f
>http://scanmail.trustwave.com/?c=4062&d=r6zT1g1OI5BzQ2qAyiLbHnVkqhibUOHBbD
>PHAab4Qg&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia
>l%2fsupport%2f
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
