Re: [mod-security-users] Request Missing an Accept Header
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Request Missing an Accept Header
|
From: Ryan B. <Rya...@Br...> - 2006-11-07 21:17:00
|
Where did you place this rule? This must be specified prior to the two rules that triggered - 60008 and 60015. Additionally, looking at the audit_log info, the rule that you added is running in phase 2 and the other rules that triggered are running in phase 1 (request headers). Update your rule like this - =20 SecRule REMOTE_ADDR "127\.0\.0\1" "allow, nolog, phase:1" =20 Ryan C. Barnett Director of Application Security Training Breach Security, Inc.=20 Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache Rya...@Br... <mailto:Rya...@Br...> =20 www.Breach.com ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Amr Hamdy Sent: Tuesday, November 07, 2006 4:04 PM Cc: mod...@li... Subject: Re: [mod-security-users] Request Missing an Accept Header =20 Cannot any one help with this? :) On 11/7/06, Amr Hamdy <amr...@gm...> wrote: Hello, :) However I've added the rule exactly as you typed it, sir Ofer, SecRule REMOTE_ADDR "127\.0\.0\.1" "allow, nolog" and however it says "nolog" it logs at errorlog of apache and at audit log of mod security that it allowed it ..=20 [07/Nov/2006:16:59:00 +0200] cUe9uc3qYHUAAGUK2gAAAAAP 127.0.0.1 49568 127.0.0.1 80 --061d5e73-B-- GET / HTTP/1.0 User-Agent: Shamsawy-Web-Server/1.2 (internal dummy connection)=20 --061d5e73-F-- HTTP/1.1 200 OK Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT ETag: "54828a-2c-4c23b600" Accept-Ranges: bytes Content-Length: 44 Connection: close Content-Type: text/html=20 Content-Language: ar --061d5e73-H-- Message: Warning. Operator EQ match: 0. [id "60008"] [msg "Request Missing a Host Header"] [severity "CRITICAL"] Message: Warning. Operator EQ match: 0. [id "60015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"]=20 Message: Access allowed (phase 2). Pattern match "127\\.0\\.0\\.1" at REMOTE_ADDR. Action: Intercepted (phase 2) Stopwatch: 1162911540559289 5160 (2856 3022 -) Producer: ModSecurity v2.0.3 (Apache 2.x ) Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a PHP/5.2.0 --061d5e73-Z-- --=20 Amr Hamdy An Egyptian Muslim Linux Engineer Studying Medicine ;)=20 --=20 Amr Hamdy An Egyptian Muslim Linux Engineer Studying Medicine ;)=20 |
