Re: [mod-security-users] (no subject)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] (no subject)
|
From: Avi A. <av...@br...> - 2007-10-23 07:59:26
|
Mike, Can you provide the audit log entry for these requests that modsecurity blocks? Thanks, Avi -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Ryan Barnett Sent: Monday, October 22, 2007 9:16 PM To: mi...@th...; mod...@li... Subject: Re: [mod-security-users] (no subject) Mike, That specific ModSecurity Core Rule is enforcing HTTP RFC compliance to the request line, so this means that Subversion is sending some requests that are triggering this alert. Can you send a sanitized audit_log entry of this request? Also, you might want to have a look at this Blog post for handling false positives - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html As for your example rules, one issue to be aware of is that the "allow" action only applies to the current request phase. Since you did not specify a phase on the action lines of these rules, that means that these rules would inherit whatever phase is set in the preceding SecDefaultAction directive. So, if this is set to phase:1, then your custom rules will only "allow" these requests through the remainder of phase:1. This means that all of the phase:2 rules would then inspect them and possibly take action. If you want to truly allow an inbound request through, then you will need to add both the allow action, as well as, the "ctl:ruleEngine=3DOff" action. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of > mi...@th... > Sent: Monday, October 22, 2007 2:51 PM > To: mod...@li... > Subject: [mod-security-users] (no subject) >=20 > I'm having trouble getting mod_security to work with Subversion through > WebDAV. Subversion works perfectly with mod_security disabled, but with > it, I'm getting a "400: bad request" error from the client. After checking > the logs, I see that mod_security is blocking everything but the most > common request types. Here is one of the errors from the modsec_audit log: >=20 > Message: Access denied with code 400 (phase 2). Match of "rx > ^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w > \\-\\.\\/~%:@&=3D+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against > "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTT P Request > Line"] [severity "CRITICAL"] >=20 > I'm quite new to the mod_security software. Is there anyone who has set up > their mod_security to work with subversion and might be willing to help me > out with what SecRules to include? I've tried adding several SecRules, but > I'm not even sure if I'm putting them in the right place. Here are the > ones that I've tried: >=20 > SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow > SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow > SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow > SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow >=20 > I've spent many hours searching google for a solution, so any help at all > would be very greatly appreciated. >=20 >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------------------------------------------------ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
