|
From: Christian V. <cv...@it...> - 2019-04-23 16:44:16
|
Thanks Ervin, I didin't note the size of Content-Lenght, for sure this is not a normal request :P Cheers. El 22-04-19 a las 17:10, Ervin Hegedüs escribió: > Hi Christian, > > On Mon, Apr 22, 2019 at 04:22:27PM -0300, Christian Varas wrote: >> Hello, i'm having a small issue with modsecurity and nginx >> >> I'm getting the following blocking with the rule "GET or HEAD Request >> with Body Content." >> >> The thing is that this rule is catching a wrong method. >> >> I'm sending this POST with a normal body content > I think this isn't a "normal" request :) > >> *POST* /informacion-general-de-bomberos HTTP/1.1 >> Host: www.bomberos.cl >> Content-Length: 33480 > ^^^^^^^^^^^^^^^^^^^^^^^ > >> Cache-Control: max-age=0 > ... > >> Connection: close > the body starts here: > >> ------WebKitFormBoundary85SDZfedhQBpvDB6 >> Content-Disposition: form-data; name="q" >> >> # >> ------WebKitFormBoundary85SDZfedhQBpvDB6 >> Content-Disposition: form-data; name="option" >> >> com_contenido >> ------WebKitFormBoundary85SDZfedhQBpvDB6 >> Content-Disposition: form-data; name="Itemid" >> >> 647 >> ------WebKitFormBoundary85SDZfedhQBpvDB6 >> Content-Disposition: form-data; name="task" >> >> buscarContenido >> ------WebKitFormBoundary85SDZfedhQBpvDB6-- > the length of the bidy is 424 char (plus the CR characters at the > end of the lines, they are 17 - so 424+17 = 441). > >> "headers":{"Accept":"text/html...", ... ,"Content-Length":"441" >> "components":["OWASP_CRS/3.1.0\""**]*},"messages":[{"message":"GET or HEAD Request with Body Content.","details":{"match":"Matched \"Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:Content-Length' (Value: `441')", > I think the Nginx waits a 33480 length body, but only got 441 - I > assume that this is a unique Nginx behavior.... > > I've tried your request, only replaced the Content-Length to 424, > and everything worked well. > > Hope this helps. > > > a. > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- Chris |
