Thread: Re: [mod-security-users] Pattern match "!^$" atHEADER("Content-Length")
Brought to you by:
victorhora,
zimmerletw
From: Ofer S. <of...@sh...> - 2006-10-19 20:31:06
|
Ryan is correct, as always, I would like to add some notes: - In the new core rule set we try to be accurate in such special cases. = It is however available only for ModSecurity 2.0 - probably a good time to upgrade. - In order to optimize regular expression performance I recommend using ^(?:GET|HEAD)$. The (?:xxx) constructs tells the regular expression = library that the parentheses only used to list options and not to remember the value, a feature seldom used by ModSecurity. Likewise probably ^0?$ = would be more optimized for the 2nd regular expression. This optimization can = save at times 50% of the regular expression validation time, especially if the expression matches a lot, such as GET and HEAD methods. ~ Ofer ________________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of = Ryan Barnett Sent: Thursday, October 19, 2006 1:05 PM To: R. de Vries Cc: mod...@li... Subject: Re: [mod-security-users] Pattern match "!^$" atHEADER("Content-Length") The rule is checking to make sure that the content-length header data is "blank" and in your request log below, the BlackBerry client is instead placing a zero digit instead of leaving this blank.=A0 Update your rule = to this -=20 =A0 SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain=20 SecFilterSelective HTTP_Content-Length "!(^$|^0$)" =A0 Let me know if it works/doesn't work. =A0 --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache=20 =A0 On 10/19/06, R. de Vries <gre...@gm...> wrote:=20 Hi there, recently I have started to notice several of the following = warning messages in the audit log: =A0 mod_security-message: Access denied with code 500. Pattern match "!^$" = at HEADER("Content-Length") [severity "EMERGENCY"]=20 =A0 And I believe this to be the result of the following rule: =A0 =A0=A0=A0 # Do not accept GET or HEAD requests with bodies =A0=A0=A0 # =A0=A0=A0 # HTTP standard allows GET requests to have a body but this =A0=A0=A0 # feature is not used in real-life. Attackers could try to = force =A0=A0=A0 # a request body on an unsuspecting web applications. =A0=A0=A0 # =A0=A0=A0 SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain =A0=A0=A0 SecFilterSelective HTTP_Content-Length "!^$" =A0 The request, according to the audit log, looked as follows: =A0 =3D=3D000077a5=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: xxxxx.xxxxx.xxxxx xxx.xxx.xx.xxx - - [18/Oct/2006:16:54:06 = --0500] "GET /xxxx.jsp HTTP/1.1" 500 226 "-" "BlackBerry7250/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1" = <some random characters here> "-"=20 ---------------------------------------- GET /xxxxxxx.jsp HTTP/1.1 Proxy-Connection: Keep-Alive profile: = http://www.blackberry.net/go/mobile/profiles/uaprof/7250/4.0.0.rdf=20 accept: application/vnd.rim.html, text/html, text/plain, application/xhtml+xml, application/vnd.wap.xhtml+xml, applicat ion/vnd.wap.wml+xml, application/vnd.wap.wmlc, application/vnd.wap.wmlscriptc, image/gif, image/jpg, image/vnd.wap.wbmp = , image/png, image/vnd.rim.png, image/jpeg, image/pjpeg, application/vnd.oma.drm.message, application/x- vnd.rim.pme, ap plication/x-vnd.rim.pme.b, image/pme, audio/midi, audio/x-midi, = audio/mid, application/x-javascript, application/vnd.ri m.jscriptc;v=3D0-8-8, text/css;media=3Dhandheld, application/vnd.wap.multipart.mixed, application/vnd.wap.multipart.alterna=20 tive, application/vnd.wap.multipart.related, multipart/mixed, multipart/alternative, multipart/related, text/vnd.sun.j2 = me.app-descriptor, application/java-archive, application/vnd.rim.proxyconfig, application/vnd.wap.coc, application/vnd.=20 wap.slc, application/vnd.wap.sic, text/vnd.wap.co, text/vnd.wap.sl, text/vnd.wap.si, application/x-x509-ca-cert, applic = ation/x-x509-email-cert, application/x-x509-server-cert, application/x-x509-user-cert, application/vnd.wap.signed-certi ficate, = application/vnd.wap.cert-response, application/vnd.wap.wtls-ca-certificate, text/vnd.wap.wml, = text/vnd.wap.wmls cript, image/x-portable-graymap, image/x-portable-pixmap, image/x-portable-anymap, image/x-png, image/jpeg2000, image/t iff, image/x-portable-bitmap, image/bmp, image/gif;anim=3D1, = text/vnd.wap.wml;q=3D 0.5 content-length: 0 accept-charset: ISO-8859-1,US-ASCII,UTF-8,UTF-16BE,Windows-1252 accept-language: en user-agent: BlackBerry7250/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 Cookie: $Version=3D1 Via: MDS_1.1.7.3 host: xxxxx.xxxx.com mod_security-action: 500 mod_security-message: Access denied with code 500. Pattern match "!^$" = at HEADER("Content-Length") [severity "EMERGENCY"]=20 =A0 Does anyone know why mod_security thought there=A0was a body=A0in this = request? Additionally, how important=A0do you guys think it is to keep this rule? = =A0 Any feedback would greatly be appreciated. =A0 Thank you, =A0 -------------------------------------------------------------------------= Using Tomcat but need to do more? Need to support web services, = security? Get stuff done quickly with pre-integrated technology to make your job easier=20 Download IBM WebSphere Application Server v.1.0.1 based on Apache = Geronimo http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D= 121642 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users=20 |