Thread: [mod-security-users] (no subject) (Page 2)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: jacky m. <jac...@li...> - 2009-02-08 18:12:18
|
woundering if you could provide some help or guidence my two questions
are:
The following ModSecurity rule is
part of the default rule set and is used for blocking SQL injection attacks.
Briefly explain the rule
SecRule
REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer
"@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print
data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare
sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull
sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate
sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having
utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue
dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab
'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo'
utl_http sp_makewebtask benchmark xp_regread xp_regwrite" \
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction
phase:2,pass,nolog,id:999501,skipAfter:959001
*
The following ModSecurity rule is
part of the default rule set and is used for blocking EMAIL injection attacks.
Briefly explain the rule
SecRule
REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email
Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2'"
SecRule
REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email
Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2'"
_________________________________________________________________
Twice the fun—Share photos while you chat with Windows Live Messenger. Learn more.
http://www.microsoft.com/uk/windows/windowslive/products/messenger.aspx |
|
From: Ofer S. <of...@sh...> - 2009-02-09 05:27:17
|
The SQL injection rule is a performance enhancement rule and not attack detection rule. It checks using a fast algorithm (that is faster than regexp) that the different SQL injection keywords do not appear in the request. If they do not appear in the request the actual SQL injection detection rule is skipped. The e-mail injection rule checks for an attack called e-mail injection. In a nutshell, if an application uses an input field in an e-mail message it sends and does not validate the input correctly, the input can modify not just the intended part, usually subject or body but also other fields such as the destination address. This way the application mail function can be used to send arbitrary mail, usually spam. Google for "email injection" for some articles about this attack, for example http://www.damonkohler.com/2008/12/email-injection.html. ~ Ofer Ofer Shezaf [sh...@xi..., +972-54-4431119, www.xiom.com] From: jacky myres [mailto:jac...@li...] Sent: Sunday, February 08, 2009 7:56 PM To: mod...@li... Subject: [mod-security-users] (no subject) woundering if you could provide some help or guidence my two questions are: The following ModSecurity rule is part of the default rule set and is used for blocking SQL injection attacks. Briefly explain the rule SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Ref erer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compre ssWhiteSpace,t:lowercase,pass,nolog,skip:1" SecAction phase:2,pass,nolog,id:999501,skipAfter:959001 * The following ModSecurity rule is part of the default rule set and is used for blocking EMAIL injection attacks. Briefly explain the rule SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \ "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E, log,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \ "phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:audit LogParts=+E,log,auditlog,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2'" _____ Share your photos with Windows Live Photos - Free Find out <http://clk.atdmt.com/UKM/go/132630768/direct/01/> more! |
|
From: <ici...@ya...> - 2009-06-09 07:49:14
|
Hi all, I have downloaded the latest stable 2.5.9 release of mod_security from the http://www.modsecurity.org site and decided to compile it statically in apache2.2.11 I'm building on Solaris 10. Following the installation instructions on the same site it says: $ cd <apache2-source> $ cp <modsecurity-source>/apache2/mod_security.c ./modules/proxy $ ./configure \ > -enable-security \ > --with-module=proxy:mod_security.c but the file mod_security.c doesn't exist in the mod_security source folder. What I can see is mod_security2.c and modsecurity.c files. So my question which one is the correct one that I need to use in the installation? Also if the correct file is mod_security2.c and if this is new version of the module, then are there any differences between this file and mod_security.c file mentioned in the install instructions? I'm asking this since my intent is to migrate an existing mod_security config from apache2.0.55 to the new one I'm building 2.2.11. Is this going to work? Thanks in advance for any help. Igor |
|
From: clau . <so...@ya...> - 2009-07-10 15:27:03
|
Hello I just got this in my modsec-audit. It is stopping google bot? If not why does it appears here? thanks. --400c0234-B-- GET /robots.txt HTTP/1.1 Host: www.******.*** Connection: Keep-alive Accept: text/plain,text/html From: googlebot(at)googlebot.com User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept-Encoding: gzip,deflate --400c0234-F-- HTTP/1.1 200 OK Last-Modified: Wed, 04 Mar 2009 06:29:30 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 85 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/plain; charset=UTF-8 --400c0234-H-- Message: Warning. Pattern match "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf"] [line "21"] [id "910006"] [msg "Google robot activity"] [severity "NOTICE"] Message: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. Message: Warning. Operator EQ matched 0 at GLOBAL. [file "/******/modsecurity_crs_30_http_policy.conf"] [line "120"] [id "960903"] [msg "ModSecurity does not support content encodings"] [severity "WARNING"] Stopwatch: 1246842095214958 5339 (515 4182 5143) Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/1.6.1; core ruleset/1.6.1. Server: Apache/2.2.9 (Ubuntu) |
|
From: Christian B. <ch...@jw...> - 2009-07-10 18:22:12
|
Am 10.07.2009 um 17:26 schrieb clau .: > Hello > > I just got this in my modsec-audit. It is stopping google bot? If > not why does it appears here? > > thanks. > > > --400c0234-B-- > GET /robots.txt HTTP/1.1 > Host: www.******.*** > Connection: Keep-alive > Accept: text/plain,text/html > From: googlebot(at)googlebot.com > User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) > Accept-Encoding: gzip,deflate > > --400c0234-F-- > HTTP/1.1 200 OK > Last-Modified: Wed, 04 Mar 2009 06:29:30 GMT > Accept-Ranges: bytes > Vary: Accept-Encoding > Content-Encoding: gzip > Content-Length: 85 > Keep-Alive: timeout=15, max=100 > Connection: Keep-Alive > Content-Type: text/plain; charset=UTF-8 > > --400c0234-H-- > Message: Warning. Pattern match "(?:(?:gsa-crawler \(enterprise; s4- > e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www > \.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)| > mediapartners-google)\b)" at REQUEST_HEADERS:User-Agent. [file "/etc/ > apache2/conf.d/modsecurity/optional_rules/ > modsecurity_crs_55_marketing.conf"] [line "21"] [id "910006"] [msg > "Google robot activity"] [severity "NOTICE"] > Message: Unable to retrieve collection (name "global", key > "global"). Use SecDataDir to define data directory first. > Message: Warning. Operator EQ matched 0 at GLOBAL. [file "/******/ > modsecurity_crs_30_http_policy.conf"] [line "120"] [id "960903"] > [msg "ModSecurity does not support content encodings"] [severity > "WARNING"] > Stopwatch: 1246842095214958 5339 (515 4182 5143) > Producer: ModSecurity for Apache/2.5.9 (http:// > www.modsecurity.org/); core ruleset/1.6.1; core ruleset/1.6.1. > Server: Apache/2.2.9 (Ubuntu) > It does not stop your bot. You can depict this from the response part, which has a status of 200 being sent to the client. This usually comes from apache properly handling the request (at least, if you do not explicitly provide a rule for blocking, which delivers a response with status 200). The interesting part of the message appears at the end, saying "ModSecurity does not support content encodings". The client says it will accept compressed responses (Accept-Encoding) and Apache delivers the gzip-compressed page to the client. When ModSecurity tries to process the response of Apache before it finally gets delivered to the browser, it cannot match its regular expressions, as there is no support for un-compressing the response within ModSecurity. Best regards, Chris |
|
From: <TO...@we...> - 2010-10-02 08:22:40
|
<body bgcolor="#ffffff" background="https://img.web.de/v/p.gif" class="bgRepeatYes" style="background-repeat: repeat; background-color: rgb(255, 255, 255); color: rgb(0, 0, 0); font-family: verdana,geneva; font-size: 9pt; padding-left: 0px;"><div style="min-height: 200px; background-image: url(https://img.web.de/v/p.gif); background-repeat: repeat; background-color: #ffffff; font-family: verdana,geneva; font-size: 9pt; padding-left: 0px;"><span style="font-size: 9pt;"><span style="font-family: verdana,geneva;"><span style="background-color: transparent;"><span style="color: #000000;"><span style="color: #000000;">Hallo <br /><br />I have installed mod security on my Apache Webserver. After that I have tried if mod security works fine. So I tried this <br /></span></span></span></span></span>to simulate an Injection. <br /><br />When I try this my Webserver isr unreachable. My http and ssh Session to the Webserver are closed and I have to reboot the Webserver. So what happend ? I have no Idea ? This is what the Log say:<br /><br />--b2e4d027-F--<br />HTTP/1.1 501 Method Not Implemented<br />Allow: TRACE<br />Vary: Accept-Encoding<br />Content-Encoding: gzip<br />Content-Length: 239<br />Connection: close<br />Content-Type: text/html; charset=iso-8859-1<br /><br />--b2e4d027-H--<br />Message: Access denied with code 501 (phase 2). Pattern match "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'"\|\;\`\-\s]|$))" at ARGS:a. [file "/etc/apache2/rulesets/modsecurity_crs_40_generic_attacks.conf"] [line "144"] [id "950907"] [msg "System Command Injection"] [data "wget"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]<br />Action: Intercepted (phase 2)<br />Stopwatch: 1285937680234156 80961 (41534 80080 -)<br />Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/1.6.1.<br /><br />-b2e4d027-Z--<br /><br /><br /><br /><br />144 "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB _ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"<br /><br /><br /> <br />Can You help me ? <br /><br />Sorry for my very bad English. I hope I can explain my Problem ! Thank you for help<br /><br />sxx128</div> <br><br><table cellpadding="0" cellspacing="0" border="0"><tr><td bgcolor="#000000"><img src="https://img.web.de/p.gif" width="1" height="1" border="0" alt="" /></td></tr><tr><td style="font-family:verdana; font-size:12px; line-height:17px;">WEB.DE DSL Doppel-Flat ab 19,99 €/mtl.! Jetzt auch mit <br>gratis Notebook-Flat! <a href="http://produkte.web.de/go/DSL_Doppel_Flatrate/2"><b>http://produkte.web.de/go/DSL_Doppel_Flatrate/2</b></a></td></tr></table> </body> |
|
From: MARTIN, J. (ATTSI) <JM...@at...> - 2010-10-04 20:31:55
|
Could running mod_security be causing your system to run out of memory? That is the only way I can think of for it to cause the listed behavior. -Jason Martin --------- From: TO...@we... [mailto:TO...@we...] Sent: Saturday, October 02, 2010 1:23 AM To: mod...@li... Subject: [mod-security-users] (no subject) Hallo I have installed mod security on my Apache Webserver. After that I have tried if mod security works fine. So I tried this to simulate an Injection. When I try this my Webserver isr unreachable. My http and ssh Session to the Webserver are closed and I have to reboot the Webserver. So what happend ? I have no Idea ? This is what the Log say: --b2e4d027-F-- HTTP/1.1 501 Method Not Implemented Allow: TRACE Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 239 Connection: close Content-Type: text/html; charset=iso-8859-1 --b2e4d027-H-- Message: Access denied with code 501 (phase 2). Pattern match "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'"\|\;\`\-\s]|$))" at ARGS:a. [file "/etc/apache2/rulesets/modsecurity_crs_40_generic_attacks.conf"] [line "144"] [id "950907"] [msg "System Command Injection"] [data "wget"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] Action: Intercepted (phase 2) Stopwatch: 1285937680234156 80961 (41534 80080 -) Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/1.6.1. -b2e4d027-Z-- 144 "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB _ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'" Can You help me ? Sorry for my very bad English. I hope I can explain my Problem ! Thank you for help sxx128 WEB.DE DSL Doppel-Flat ab 19,99 €/mtl.! Jetzt auch mit gratis Notebook-Flat! http://produkte.web.de/go/DSL_Doppel_Flatrate/2 |
|
From: H S <ara...@ya...> - 2011-05-16 11:08:10
|
Dear , I would like to study about ModSEcurity. I have just read and reviewed the books MoDSecurity Handbook. But I would like to know how and where could I find and understand the architecture of ModSecurity, take a look at functions routines and their relationships. I would like to hear from you. sara |
|
From: Alfredo D. F. N. <alf...@re...> - 2012-08-31 00:01:49
|
Hi, I would like help of you. I am having a problem with a RFI attack. If I have a link like this " http://192.168.1.102/file.php?arg=http://192.168.1.101/index.html" in a request, the ModSecurity detects the attack. But, if I have a link like this " http://192.168.1.102/file.php?arg=http://www.valid-domain.com/index.html" in a request, the ModSecurity don't detects the attack. Does anyone know what might be happening? Best Regards. |
|
From: Ryan B. <RBa...@tr...> - 2012-08-31 01:05:13
|
See the following: http://blog.spiderlabs.com/2011/09/modsecurity-advanced-topic-of-the-week-remote-file-inclusion-attack-detection.html -- Ryan Barnett Researcher Lead Trustwave - SpiderLabs On Aug 30, 2012, at 8:05 PM, "Alfredo Del Fabro Neto" <alf...@re...<mailto:alf...@re...>> wrote: Hi, I would like help of you. I am having a problem with a RFI attack. If I have a link like this "http://192.168.1.102/file.php?arg=http://192.168.1.101/index.html" in a request, the ModSecurity detects the attack. But, if I have a link like this "http://192.168.1.102/file.php?arg=http://www.valid-domain.com/index.html" in a request, the ModSecurity don't detects the attack. Does anyone know what might be happening? Best Regards. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: alberto c. <bet...@gm...> - 2012-09-27 15:07:30
|
Hi all, Somebody tried to install modsecurity in IIS 6? It's possible? Best regards Beto |
|
From: Ehsan M. <ehs...@gm...> - 2015-01-17 07:43:48
Attachments:
audit-event.dat
|
Dear All, hi
For a specific URI and argument I don't want the rule 960209 to be fired.
The URI is : /fa/views/ajax
I think the argument
is: ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]
The rule 960209 checks argument name length. On my setting it will fire if
the length is greater than 100.
I wrote a rule like: SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2001,t:none,pass,ctl:ruleRemoveTargetById=
960209;ARGS_NAMES:ajax_page_state[js][sites/mysite/
modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]"
It is fired before the rule 960209 but won't work.
I highlighted these rules on my audit trial.
What is the problem?
Thanks in advance
--
regards
E.M
--VLegPn8AAAEAAFB4UbkAAAEB-A--
[15/Jan/2015:14:40:56 +0330] VLegPn8AAAEAAFB4UbkAAAEB 37.254.173.219 18552
176.101.52.98 80
--VLegPn8AAAEAAFB4UbkAAAEB-B--
POST /fa/views/ajax HTTP/1.1
Referer: http://mysite/fa/session-archivs
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.7,fa;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko
Host: mysite
Content-Length: 8050
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: has_js=1
--VLegPn8AAAEAAFB4UbkAAAEB-C--
field_session_date2_value%5Bmin%5D%5Bdate%5D=&field_session_date2_value%5Bmin%5D%5Bdatex_edit_field_session_date2_value_min%5D=1393-10-25&field_session_date2_value%5Bmax%5D%5Bdate%5D=&field_session_date2_value%5Bmax%5D%5Bdatex_edit_field_session_date2_value_max%5D=1393-10-25&view_name=session_news&view_display_id=page_2&view_args=&view_path=session-archivs&view_base_path=session-archivs&view_dom_id=597b60253f25979c3f6421ceff3d1f38&pager_element=0&ajax_html_ids%5B%5D=wrapper&ajax_html_ids%5B%5D=header&ajax_html_ids%5B%5D=logofa&ajax_html_ids%5B%5D=slogan-fa&ajax_html_ids%5B%5D=uni-title&ajax_html_ids%5B%5D=department-fa&ajax_html_ids%5B%5D=dheader&ajax_html_ids%5B%5D=block-search-form&ajax_html_ids%5B%5D=search-block-form&ajax_html_ids%5B%5D=edit-search-block-form--2&ajax_html_ids%5B%5D=edit-actions&ajax_html_ids%5B%5D=edit-submit&ajax_html_ids%5B%5D=block-block-14&ajax_html_ids%5B%5D=main-menu&ajax_html_ids%5B%5D=container&ajax_html_ids%5B%5D=content&ajax_html_ids%5B%5D=breadcrumbs&ajax_html_ids%5B%5D=post-content&ajax_html_ids%5B%5D=views-exposed-form-session-news-page-2&ajax_html_ids%5B%5D=edit-field-session-date2-value-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-inside-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-datex-edit-field-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-inside-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-datex-edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-submit-session-news&ajax_html_ids%5B%5D=footer&ajax_html_ids%5B%5D=footer-area&ajax_html_ids%5B%5D=block-block-15&ajax_html_ids%5B%5D=copyright&ajax_page_state%5Btheme%5D=professional_theme&ajax_page_state%5Btheme_token%5D=k8f9oKh7ItaD8TB5aAai0FjBBr5mLTnTdST58LPERsw&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.menus.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.menus-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.messages.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.messages-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.theme.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.theme-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.core.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.theme.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.accordion.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.datepicker.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fjquery.timeentry.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fcomment%2Fcomment.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fcomment%2Fcomment-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_api%2Fdate.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_api%2Fdate-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fdatepicker.1.7.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate-time-field%2Fcss%2Fsmoothness%2Fjquery-ui-1.8.14.custom.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fnode%2Fnode.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll%2Fpoll.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll%2Fpoll-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2Fsearch.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2Fsearch-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fuser%2Fuser.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fuser%2Fuser-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2Fckeditor.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2Fckeditor-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fctools%2Fcss%2Fctools.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus_default.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus_default-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fsmoothness.calendars.picker.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bpublic%3A%2F%2Fcpn%2Fblock-14.css%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.once.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fdrupal.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.core.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.widget.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.accordion.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.cookie.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.form.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.datepicker.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmodules%2Flocale%2Flocale.datepicker.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fjquery.timeentry.pack.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fajax.js%5D=1&ajax_page_state%5Bjs%5D%5Bpublic%3A%2F%2Flanguages%2Ffa_BNMes1sG4z0w_DbIK9uy6lL3jNXwx-Job66BivlN1tA.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fsuperfish.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.bgiframe.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.hoverIntent.minified.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fjs%2Fbase.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fprogress.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fjs%2Fajax_view.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.all.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.lang.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.picker.lang.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.persian.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.persian-fa.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fjs%2Fcustom.js%5D=1
--VLegPn8AAAEAAFB4UbkAAAEB-E--
--VLegPn8AAAEAAFB4UbkAAAEB-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.16
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 15 Jan 2015 10:16:58 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1421317018"
Content-Type: application/json; charset=utf-8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
--VLegPn8AAAEAAFB4UbkAAAEB-H--
Message: Warning. String match "/fa/views/ajax" at REQUEST_URI. [file
"/opt/modsec/facu/etc/active/11035.conf"] [line "3"] [id "2001"]
Message: Warning. String match "/fa/views/ajax" at REQUEST_URI. [file
"/opt/modsec/facu/etc/active/11035.conf"] [line "5"] [id "2002"]
*Message: Warning. Operator GT matched 100 at
ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js].
[file "/etc/modsecurity/23001.conf"] [line "23"] [id "960209"] [rev "2"]
[msg "Argument name too long"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/SIZE_LIMIT"]*
Message: Warning. Operator LT matched 9 at TX:inbound_anomaly_score. [file
"/etc/modsecurity/60001.conf"] [line "33"] [id "981203"] [msg "Inbound
Anomaly Score (Total Inbound Score: 2, SQLi=0, XSS=0): Argument name too
long"]
Apache-Handler: proxy-server
Stopwatch: 1421320254300902 1867389 (- - -)
Stopwatch2: 1421320254300902 1867389; combined=676477, p1=1617, p2=673800,
p3=7, p4=259, p5=568, sr=202, sw=226, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9. <http://2.2.0.9/>
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "DETECTION_ONLY"
--VLegPn8AAAEAAFB4UbkAAAEB-K--
SecAction
"phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"
SecAction
"phase:1,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"
SecAction
"phase:1,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=9,setvar:tx.outbound_anomaly_score_level=5,nolog,pass"
SecAction
"phase:1,id:900004,t:none,setvar:tx.anomaly_score_blocking=on,nolog,pass"
SecAction "phase:1,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass"
SecAction
"phase:1,id:900007,t:none,setvar:tx.arg_name_length=100,nolog,pass"
SecAction "phase:1,id:900008,t:none,setvar:tx.arg_length=400,nolog,pass"
SecAction
"phase:1,id:900009,t:none,setvar:tx.total_arg_length=64000,nolog,pass"
SecAction
"phase:1,id:900010,t:none,setvar:tx.max_file_size=1048576,nolog,pass"
SecAction
"phase:1,id:900011,t:none,setvar:tx.combined_file_sizes=1048576,nolog,pass"
SecAction "phase:1,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD
POST
OPTIONS',setvar:tx.allowed_request_content_type=application/json|application/x-amf|application/x-www-form-urlencoded|application/xml|multipart/form-data|text/xml,setvar:'tx.allowed_http_versions=HTTP/0.9
HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.dos/ .dll/ .cmd/ .cer/
.bat/ .bak/ .backup/ .dll/
.cer/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/',nolog,pass"
SecAction
"phase:1,id:900015,t:none,setvar:tx.dos_burst_time_slice=20,setvar:tx.dos_counter_threshold=60,setvar:tx.dos_block_timeout=300,nolog,pass"
SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$"
"phase:1,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"
SecRule "&TX:REAL_IP" "@eq 0"
"phase:1,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"
*SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2001,t:none,pass,ctl:ruleRemoveTargetById=960209;ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]"*
SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2002,t:none,pass,ctl:ruleRemoveById=981173"
SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,log,msg:'POST request
missing Content-Length
Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
#SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
SecRule "&TX:MAX_FILE_SIZE" "@eq 1"
"phase:1,log,chain,t:none,block,msg:'Uploaded file size too
large',id:960342,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "REQUEST_HEADERS:Content-Type" "@beginsWith multipart/form-data"
"chain"
#SecRule "REQUEST_HEADERS:Content-Length" "@gt %{tx.max_file_size}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:1,log,chain,t:none,block,msg:'Request content type is not allowed by
policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture"
#SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$"
"t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx
^(application\\/x-www-form-urlencoded|text\\/xml)(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$"
"phase:2,log,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'URL
Encoding Abuse Attack
Attempt',id:950108,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4"
SecRule "REQUEST_BODY|XML:/*" "@rx
\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
#SecRule "REQUEST_BODY|XML:/*" "@validateUrlEncoding "
"setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
"phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request
Missing an Accept
Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
#SecRule "&REQUEST_HEADERS:Accept" "@eq 0"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
"phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request
Has an Empty Accept
Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"
#SecRule "REQUEST_HEADERS:Accept" "@rx ^$"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
*SecRule "&TX:ARG_NAME_LENGTH" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Argument name too
long',id:960209,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"*
*SecRule "ARGS_NAMES" "@gt %{tx.arg_name_length}"
"t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id
<http://rule.id/>}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"*
SecRule "&TX:ARG_LENGTH" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Argument value too
long',id:960208,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "ARGS" "@gt %{tx.arg_length}"
"t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Too
many arguments in
request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "&ARGS" "@gt %{tx.max_num_args}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "&TX:TOTAL_ARG_LENGTH" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Total arguments size
exceeded',id:960341,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "ARGS_COMBINED_SIZE" "@gt %{tx.total_arg_length}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "&TX:COMBINED_FILE_SIZES" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Total uploaded files size too
large',id:960343,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "FILES_COMBINED_SIZE" "@gt %{tx.combined_file_sizes}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
"phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by
policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}"
"setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"
Other non disruptive rules! <the complete audit trial is available as
attachment>
--VLegPn8AAAEAAFB4UbkAAAEB-Z--
|
|
From: Asaf T. <Asa...@mc...> - 2015-02-01 13:36:27
|
Hi,
We are interesting in your product ModSecurity and would like to test it In order to integrate it into our system.
We have some questions:
1. Does your product support protection against Replay messages (meaning resubmitting the same message again).
2. Does your product support protection against CSRF attack.
3. I would like to schedule a demo with your tactical team if this possible.
You can reach me over the phone:
Located at Israel: 972 -
0523803798
Thanks,
Asaf
|
|
From: Chaim S. <CSa...@tr...> - 2015-02-01 18:06:46
|
Good afternoon Asaf, ModSecurity can be used to add protection against CSRF attacks. The basic premise is outlined here: http://blog.spiderlabs.com/2011/01/detecting-malice-with-modsecurity-csrf-attacks.html. A similar approach can be used to prevent replay attacks by adding a unique token for each request. As far as a demo this mailing list is designated for community support for ModSecurity. For anything beyond this purpose, including requests for Trustwave services we ask that you please email us directly at security[at]modsecurity.org. Thank you. Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Asaf Tvito [mailto:Asa...@mc...] Sent: Sunday, February 1, 2015 8:33 AM To: mod...@li... Subject: [mod-security-users] (no subject) Hi, We are interesting in your product ModSecurity and would like to test it In order to integrate it into our system. We have some questions: 1. Does your product support protection against Replay messages (meaning resubmitting the same message again). 2. Does your product support protection against CSRF attack. 3. I would like to schedule a demo with your tactical team if this possible. You can reach me over the phone: Located at Israel: 972 - 0523803798 Thanks, Asaf ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Amlaan K. <aml...@gm...> - 2016-10-16 05:36:50
|
I have created a handler in Apache which is supposed to parse the URL entered. If the conditions defined by the handler are satisfied, the handler returns DECLINED AND the page requested is open. If not, the handler displays "Rejected". However, the problem I am facing is that when I am trying to display a PHP page, the PHP handler does not help execute the PHP code after my handler returns DECLINED. I feel that using the XML parser affects my program performance. Can I use mod_security to execute this module? If yes, how do I do so? |
|
From: Christian F. <chr...@ne...> - 2016-10-16 13:55:42
|
Hi there, It is not entirely clear, what you have really built and what you are asking. But I think I am on safe grounds to tell you, that ModSec can not call third party modules / handlers out of the box and that module interaction is better discussed with the Apache project then here on the ModSec mailinglists. Good luck, Christian Folini On Sun, Oct 16, 2016 at 11:06:42AM +0530, Amlaan Kar wrote: > I have created a handler in Apache which is supposed to parse the URL > entered. If the conditions defined by the handler are satisfied, the > handler returns DECLINED AND the page requested is open. If not, the > handler displays "Rejected". However, the problem I am facing is that when > I am trying to display a PHP page, the PHP handler does not help execute > the PHP code after my handler returns DECLINED. > I feel that using the XML parser affects my program performance. Can I use > mod_security to execute this module? If yes, how do I do so? > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course mailto:chr...@ne... twitter: @ChrFolini |
|
From: Jose P. V. L. <pab...@gm...> - 2016-10-16 16:24:05
|
Hi. That's a question about apache handlers: https://perl.apache.org/docs/2.0/user/handlers/intro.html Apache2::Const::DECLINED, the next handler in the chain will be run. If the return value is Apache2::Const::OK the next phase will start. In all other cases the execution will be aborted. Maybe you could try returning OK instead of declined. Regards El dom., 16 de octubre de 2016 16:01, Christian Folini < chr...@ne...> escribió: > Hi there, > > It is not entirely clear, what you have really built and what you > are asking. > > But I think I am on safe grounds to tell you, that ModSec can not > call third party modules / handlers out of the box and that module > interaction is better discussed with the Apache project then here > on the ModSec mailinglists. > > Good luck, > > Christian Folini > > On Sun, Oct 16, 2016 at 11:06:42AM +0530, Amlaan Kar wrote: > > I have created a handler in Apache which is supposed to parse the URL > > entered. If the conditions defined by the handler are satisfied, the > > handler returns DECLINED AND the page requested is open. If not, the > > handler displays "Rejected". However, the problem I am facing is that > when > > I am trying to display a PHP page, the PHP handler does not help execute > > the PHP code after my handler returns DECLINED. > > I feel that using the XML parser affects my program performance. Can I > use > > mod_security to execute this module? If yes, how do I do so? > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > mailto:chr...@ne... > twitter: @ChrFolini > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Don C. <don...@gm...> - 2018-12-18 07:10:50
|
|
From: Don C. <don...@gm...> - 2019-04-15 04:43:24
|
|
From: Sadaf M. <sad...@gm...> - 2019-05-01 22:44:46
|
|
From: Luke B. <lba...@gm...> - 2023-05-18 15:50:58
|
Javascript / Challenge page Good morning, I introduce myself, I'm new to the list. i'm a university student who has to take care of the security inside the campus. I have to set up a series of mod_security instances which, in addition to a series of basic rules, must be able to run a challenge page, in the event of a major DDoS attack, in order to filter all automatic traffic. Has anyone done something like this before or can point me to online resources to do it? Thanks Luke |
;){kind=link}
Thanks for helping keep SourceForge clean.
X