Thread: [mod-security-users] Newbie advice with mod_security2.
Brought to you by:
victorhora,
zimmerletw
From: Benjamin D. <ben...@py...> - 2007-05-30 15:37:12
|
I recently installed mod_security2 with the core rule set on my cAos-Linux box running Apache v2.0.59. It's doing a fantastic job with a few exceptions listed below; I'd be grateful for any advice! :-) --c63b3e71-A-- [30/May/2007:15:45:15 +0100] B7992MCoPQIAABMLXE4AAAAE XXX.92.40.49 64262 192.168.61.2 80 --c63b3e71-B-- GET / HTTP/1.1 Host: www.py-soft.co.uk Connection: keep-alive Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) X-NovINet: v1.2 Via: HTTP/1.0 Novell Border Manager, 1.0 HAKONE (NetCache NetApp/6.0.2P2) --c63b3e71-F-- HTTP/1.1 400 Bad Request Content-Length: 307 Connection: close Content-Type: text/html; charset=iso-8859-1 --c63b3e71-H-- Message: Access denied with code 400 (phase 2). Pattern match "(?:\\bhttp.(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.0>"] [severity "ALERT"] Action: Intercepted (phase 2) Stopwatch: 1180536315805144 11061 (1030 10021 -) Producer: ModSecurity v2.1.1 (Apache 2.x) Server: Apache/2.0.59 (cAos) --c63b3e71-Z-- This is a false positive - any tips on getting round it? --1b70c527-A-- [30/May/2007:15:55:34 +0100] LJiKwMCoPQIAADR3VhIAAAAA XXX.35.133.150 61041 192.168.61.2 80 --1b70c527-B-- POST /XXX/XXX.php HTTP/1.1 X-ICAP-Version: 1.0 Host: www.py-soft.co.uk Connection: keep-alive Content-Length: 430 Accept: application/vnd.syncml+wbxml Accept-Charset: utf-8 Accept-Language: en Cache-Control: no-store Content-Type: application/vnd.syncml+wbxml User-Agent: Nokia SyncML HTTP Client BenchmarkStart: 1180536933.845560 X-Orange-RAT: 0 X-Nokia-sgsnipaddress: XXX.33.26.104 X-Network-Info: GPRS, XXX, unsecured X-Nokia-msisdn: XXX X-Orange-apnname: ap-postpaidsession X-Nokia-ipaddress: XXX.40.202.157 X-Nokia-BEARER: GPRS X-Forwarded-For: XXX.250.16.34, XXX.250.16.34 Via: 1.1 bdp-proxy1 (NetCache NetApp/6.0.2P2), 1.1 bdp-proxy1 (NetCache NetApp/6.0.2P2) --1b70c527-C-- ^B<9F>Sj^@mlq<C3>^C1.1^Ar<C3> SyncML/1.1^Ae<C3>^B23^A[<C3>^A1^AnW<C3>+http://www.py-soft.co.uk/XXX/XXX.php^A^AgW<C3>^TIMEI:353269017997408^A^ANZ^@^AS<C3>^Qsyncml:auth-basic^A^@^@^AO<C3>(YmV uamFtaW46ZDA1MTU1ODM5MXB5dGhhZ29yYXM=^A^AZ^@^AL<C3>^E10000^A^@^@^A^AkFK<C3>^A1^AO<C3>^C204^ATnW<C3> ./contacts^A^AgW<C3>^\./C\System\Data\Contacts.cdb^A^AZ^@^AEJ<C3>^P20070511T172148Z^AO<C3>^P20070530T145333Z^A^A^@^@^A^A^AFK<C3>^A2^AO<C3>^C204^ATnW<C3> ./calt ask^A^AgW<C3>^X./C\System\Data\Calendar^A^AZ^@^AEJ<C3>^P20070511T172148Z^AO<C3>^P20070530T145333Z^A^A^@^@^A^A^A^R^A^A --1b70c527-F-- HTTP/1.1 501 Method Not Implemented Allow: TRACE Content-Length: 305 Connection: close Content-Type: text/html; charset=iso-8859-1 --1b70c527-H-- Message: Access denied with code 501 (phase 2). Match of "rx (?:^(?:application\\/x-www-form-urlencoded(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)?$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg "Request content type is not allowed by policy"] [severity "WARNING"] Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1180536934009536 54864 (52176* 53266 -) Producer: ModSecurity v2.1.1 (Apache 2.x) Server: Apache/2.0.59 (cAos) --1b70c527-Z-- Another false positive - any tips? --6df04d0a-A-- [30/May/2007:15:59:53 +0100] PBSF4cCoPQIAAHwl6sQAAAAI XX.132.25.160 50151 192.168.61.2 443 --6df04d0a-B-- POST /XXX/XXX.php HTTP/1.1 Host: www.py-soft.co.uk User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Method: POST /XXX/XXX.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Referer: https://www.py-soft.co.uk/XXX/XXX/XXX.php Content-Length: 92 Cookie: XXX Pragma: no-cache Cache-Control: no-cache --6df04d0a-C-- xajax=doXMLHTTP&xajaxr=1180537198876&xajaxargs[]=felamimail.ajaxfelamimail.refreshFolderList --6df04d0a-F-- HTTP/1.1 400 Bad Request Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1 --6df04d0a-H-- Message: Access denied with code 400 (phase 2). Pattern match "(?:\\bhttp.(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" at REQUEST_HEADERS:Method. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1180537193792993 70985 (44607* 69283 -) Producer: ModSecurity v2.1.1 (Apache 2.x) Server: Apache/2.0.59 (cAos) --6df04d0a-Z-- Another - any tips? I haven't had chance to read through the mod_security2 docs yet and I'd be very grateful for any help. Take care, Ben |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-30 16:46:46
|
Please read my Blog post on handling false positives - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html. It looks like 2 of your examples are triggering the HTTP Response Splitting rules (Rule 950911). You will need to update the rule (per the instructions in the Blog post) and add exceptions to the variable list to NOT inspect either the "Via" or "Method" request headers. Basically, you need to add !REQUEST_HEADERS:'/(Via|Method)/' to the variable list. As for your 2nd example, you will need to update the allowed Content-Type RegEx in Rule 960010 to allow - application/vnd.syncml+wbxml. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Benjamin > Donnachie > Sent: Wednesday, May 30, 2007 11:35 AM > To: mod...@li... > Subject: [mod-security-users] Newbie advice with mod_security2. >=20 >=20 > I recently installed mod_security2 with the core rule set on my > cAos-Linux box running Apache v2.0.59. >=20 > It's doing a fantastic job with a few exceptions listed below; I'd be > grateful for any advice! :-) >=20 > --c63b3e71-A-- > [30/May/2007:15:45:15 +0100] B7992MCoPQIAABMLXE4AAAAE XXX.92.40.49 64262 > 192.168.61.2 80 > --c63b3e71-B-- > GET / HTTP/1.1 > Host: www.py-soft.co.uk > Connection: keep-alive > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/msword, > application/vnd.ms-excel, application/vnd.ms-powerpoint, */* > Accept-Language: en-gb > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET > CLR 1.1.4322) > X-NovINet: v1.2 > Via: HTTP/1.0 Novell Border Manager, 1.0 HAKONE (NetCache NetApp/6.0.2P2) >=20 > --c63b3e71-F-- > HTTP/1.1 400 Bad Request > Content-Length: 307 > Connection: close > Content-Type: text/html; charset=3Diso-8859-1 >=20 > --c63b3e71-H-- > Message: Access denied with code 400 (phase 2). Pattern match > "(?:\\bhttp.(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" at > REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. > Matched signature <http/1.0>"] [severity "ALERT"] > Action: Intercepted (phase 2) > Stopwatch: 1180536315805144 11061 (1030 10021 -) > Producer: ModSecurity v2.1.1 (Apache 2.x) > Server: Apache/2.0.59 (cAos) >=20 > --c63b3e71-Z-- >=20 > This is a false positive - any tips on getting round it? >=20 >=20 > --1b70c527-A-- > [30/May/2007:15:55:34 +0100] LJiKwMCoPQIAADR3VhIAAAAA XXX.35.133.150 > 61041 192.168.61.2 80 > --1b70c527-B-- > POST /XXX/XXX.php HTTP/1.1 > X-ICAP-Version: 1.0 > Host: www.py-soft.co.uk > Connection: keep-alive > Content-Length: 430 > Accept: application/vnd.syncml+wbxml > Accept-Charset: utf-8 > Accept-Language: en > Cache-Control: no-store > Content-Type: application/vnd.syncml+wbxml > User-Agent: Nokia SyncML HTTP Client > BenchmarkStart: 1180536933.845560 > X-Orange-RAT: 0 > X-Nokia-sgsnipaddress: XXX.33.26.104 > X-Network-Info: GPRS, XXX, unsecured > X-Nokia-msisdn: XXX > X-Orange-apnname: ap-postpaidsession > X-Nokia-ipaddress: XXX.40.202.157 > X-Nokia-BEARER: GPRS > X-Forwarded-For: XXX.250.16.34, XXX.250.16.34 > Via: 1.1 bdp-proxy1 (NetCache NetApp/6.0.2P2), 1.1 bdp-proxy1 (NetCache > NetApp/6.0.2P2) >=20 > --1b70c527-C-- > ^B<9F>Sj^@mlq<C3>^C1.1^Ar<C3> > SyncML/1.1^Ae<C3>^B23^A[<C3>^A1^AnW<C3>+http://www.py- > soft.co.uk/XXX/XXX.php^A^AgW<C3>^TIMEI:353269017997408^A^ANZ^@^AS<C3>^Qs yn > cml:auth-basic^A^@^@^AO<C3>(YmV > uamFtaW46ZDA1MTU1ODM5MXB5dGhhZ29yYXM=3D^A^AZ^@^AL<C3>^E10000^A^@^@^A^AkFK= < C3 > >^A1^AO<C3>^C204^ATnW<C3> > ./contacts^A^AgW<C3>^\./C\System\Data\Contacts.cdb^A^AZ^@^AEJ<C3>^P20070 51 > 1T172148Z^AO<C3>^P20070530T145333Z^A^A^@^@^A^A^AFK<C3>^A2^AO<C3>^C204^AT nW > <C3> > ./calt > ask^A^AgW<C3>^X./C\System\Data\Calendar^A^AZ^@^AEJ<C3>^P20070511T172148Z ^A > O<C3>^P20070530T145333Z^A^A^@^@^A^A^A^R^A^A > --1b70c527-F-- > HTTP/1.1 501 Method Not Implemented > Allow: TRACE > Content-Length: 305 > Connection: close > Content-Type: text/html; charset=3Diso-8859-1 >=20 > --1b70c527-H-- > Message: Access denied with code 501 (phase 2). Match of "rx > (?:^(?:application\\/x-www-form- > urlencoded(?:;(?:\\s?charset\\s?=3D\\s?[\\w\\d\\- > ]{1,18})?)?$|multipart/form-data;)|text/xml)" > against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg > "Request content type is not allowed by policy"] [severity "WARNING"] > Action: Intercepted (phase 2) > Apache-Handler: php5-script > Stopwatch: 1180536934009536 54864 (52176* 53266 -) > Producer: ModSecurity v2.1.1 (Apache 2.x) > Server: Apache/2.0.59 (cAos) >=20 > --1b70c527-Z-- >=20 > Another false positive - any tips? >=20 >=20 > --6df04d0a-A-- > [30/May/2007:15:59:53 +0100] PBSF4cCoPQIAAHwl6sQAAAAI XX.132.25.160 > 50151 192.168.61.2 443 > --6df04d0a-B-- > POST /XXX/XXX.php HTTP/1.1 > Host: www.py-soft.co.uk > User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; > en-US;rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/pla= i n; > q=3D0.8,image/png,*/*;q=3D0.5 > Accept-Language: en-us,en;q=3D0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7 > Keep-Alive: 300 > Connection: keep-alive > Method: POST /XXX/XXX.php HTTP/1.1 > Content-Type: application/x-www-form-urlencoded > Referer: https://www.py-soft.co.uk/XXX/XXX/XXX.php > Content-Length: 92 > Cookie: XXX > Pragma: no-cache > Cache-Control: no-cache >=20 > --6df04d0a-C-- > xajax=3DdoXMLHTTP&xajaxr=3D1180537198876&xajaxargs[]=3Dfelamimail.ajaxfel= amima il > .refreshFolderList > --6df04d0a-F-- > HTTP/1.1 400 Bad Request > Content-Length: 308 > Connection: close > Content-Type: text/html; charset=3Diso-8859-1 >=20 > --6df04d0a-H-- > Message: Access denied with code 400 (phase 2). Pattern match > "(?:\\bhttp.(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" at > REQUEST_HEADERS:Method. [id "950911"] [msg "HTTP Response Splitting > Attack. Matched signature <http/1.1>"] [severity "ALERT"] > Action: Intercepted (phase 2) > Apache-Handler: php5-script > Stopwatch: 1180537193792993 70985 (44607* 69283 -) > Producer: ModSecurity v2.1.1 (Apache 2.x) > Server: Apache/2.0.59 (cAos) >=20 > --6df04d0a-Z-- >=20 > Another - any tips? >=20 > I haven't had chance to read through the mod_security2 docs yet and I'd > be very grateful for any help. >=20 > Take care, >=20 > Ben >=20 >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Benjamin D. <ben...@py...> - 2007-05-30 16:31:42
|
Ryan Barnett wrote: > Please read my Blog post on handling false positives - Many thanks for your help! :-) Ben |
From: Ofer S. <OferS@Breach.com> - 2007-05-30 21:31:13
|
We will also take your information and correct the Core Rule Set to handle well such requests. This is a good opportunity to say that we will be happy to receive any false positives any of you on the list get, either on the list or off list if you have a problem sharing the information publicly. We will look at every such request and will try to modify the Core Rule Set to avoid the FP. We would need the entire audit log entry to do so. Thanks ~ Ofer Shezaf ModSecurity Core Rule Set project leader > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Ryan Barnett > Sent: Wednesday, May 30, 2007 7:11 PM > To: Benjamin Donnachie; mod...@li... > Subject: Re: [mod-security-users] Newbie advice with mod_security2. >=20 > Please read my Blog post on handling false positives - > http://www.modsecurity.org/blog/archives/2007/02/handling_false.html. > It looks like 2 of your examples are triggering the HTTP Response > Splitting rules (Rule 950911). You will need to update the rule (per > the instructions in the Blog post) and add exceptions to the variable > list to NOT inspect either the "Via" or "Method" request headers. > Basically, you need to add !REQUEST_HEADERS:'/(Via|Method)/' to the > variable list. >=20 > As for your 2nd example, you will need to update the allowed > Content-Type RegEx in Rule 960010 to allow - > application/vnd.syncml+wbxml. >=20 > -- > Ryan C. Barnett > ModSecurity Community Manager > Breach Security: Director of Application Security Training > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache >=20 >=20 >=20 > > -----Original Message----- > > From: mod...@li... [mailto:mod- > > sec...@li...] On Behalf Of Benjamin > > Donnachie > > Sent: Wednesday, May 30, 2007 11:35 AM > > To: mod...@li... > > Subject: [mod-security-users] Newbie advice with mod_security2. > > > > > > I recently installed mod_security2 with the core rule set on my > > cAos-Linux box running Apache v2.0.59. > > > > It's doing a fantastic job with a few exceptions listed below; I'd be > > grateful for any advice! :-) > > > > --c63b3e71-A-- > > [30/May/2007:15:45:15 +0100] B7992MCoPQIAABMLXE4AAAAE XXX.92.40.49 > 64262 > > 192.168.61.2 80 > > --c63b3e71-B-- > > GET / HTTP/1.1 > > Host: www.py-soft.co.uk > > Connection: keep-alive > > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > > application/x-shockwave-flash, application/msword, > > application/vnd.ms-excel, application/vnd.ms-powerpoint, */* > > Accept-Language: en-gb > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; > .NET > > CLR 1.1.4322) > > X-NovINet: v1.2 > > Via: HTTP/1.0 Novell Border Manager, 1.0 HAKONE (NetCache > NetApp/6.0.2P2) > > > > --c63b3e71-F-- > > HTTP/1.1 400 Bad Request > > Content-Length: 307 > > Connection: close > > Content-Type: text/html; charset=3Diso-8859-1 > > > > --c63b3e71-H-- > > Message: Access denied with code 400 (phase 2). Pattern match > > "(?:\\bhttp.(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" at > > REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting > Attack. > > Matched signature <http/1.0>"] [severity "ALERT"] > > Action: Intercepted (phase 2) > > Stopwatch: 1180536315805144 11061 (1030 10021 -) > > Producer: ModSecurity v2.1.1 (Apache 2.x) > > Server: Apache/2.0.59 (cAos) > > > > --c63b3e71-Z-- > > > > This is a false positive - any tips on getting round it? > > > > > > --1b70c527-A-- > > [30/May/2007:15:55:34 +0100] LJiKwMCoPQIAADR3VhIAAAAA XXX.35.133.150 > > 61041 192.168.61.2 80 > > --1b70c527-B-- > > POST /XXX/XXX.php HTTP/1.1 > > X-ICAP-Version: 1.0 > > Host: www.py-soft.co.uk > > Connection: keep-alive > > Content-Length: 430 > > Accept: application/vnd.syncml+wbxml > > Accept-Charset: utf-8 > > Accept-Language: en > > Cache-Control: no-store > > Content-Type: application/vnd.syncml+wbxml > > User-Agent: Nokia SyncML HTTP Client > > BenchmarkStart: 1180536933.845560 > > X-Orange-RAT: 0 > > X-Nokia-sgsnipaddress: XXX.33.26.104 > > X-Network-Info: GPRS, XXX, unsecured > > X-Nokia-msisdn: XXX > > X-Orange-apnname: ap-postpaidsession > > X-Nokia-ipaddress: XXX.40.202.157 > > X-Nokia-BEARER: GPRS > > X-Forwarded-For: XXX.250.16.34, XXX.250.16.34 > > Via: 1.1 bdp-proxy1 (NetCache NetApp/6.0.2P2), 1.1 bdp-proxy1 > (NetCache > > NetApp/6.0.2P2) > > > > --1b70c527-C-- > > ^B<9F>Sj^@mlq<C3>^C1.1^Ar<C3> > > SyncML/1.1^Ae<C3>^B23^A[<C3>^A1^AnW<C3>+http://www.py- > > > soft.co.uk/XXX/XXX.php^A^AgW<C3>^TIMEI:353269017997408^A^ANZ^@^AS<C3>^Q > s > yn > > cml:auth-basic^A^@^@^AO<C3>(YmV > > > uamFtaW46ZDA1MTU1ODM5MXB5dGhhZ29yYXM=3D^A^AZ^@^AL<C3>^E10000^A^@^@^A^AkFK= > < > C3 > > >^A1^AO<C3>^C204^ATnW<C3> > > > ./contacts^A^AgW<C3>^\./C\System\Data\Contacts.cdb^A^AZ^@^AEJ<C3>^P2007 > 0 > 51 > > > 1T172148Z^AO<C3>^P20070530T145333Z^A^A^@^@^A^A^AFK<C3>^A2^AO<C3>^C204^A > T > nW > > <C3> > > ./calt > > > ask^A^AgW<C3>^X./C\System\Data\Calendar^A^AZ^@^AEJ<C3>^P20070511T172148 > Z > ^A > > O<C3>^P20070530T145333Z^A^A^@^@^A^A^A^R^A^A > > --1b70c527-F-- > > HTTP/1.1 501 Method Not Implemented > > Allow: TRACE > > Content-Length: 305 > > Connection: close > > Content-Type: text/html; charset=3Diso-8859-1 > > > > --1b70c527-H-- > > Message: Access denied with code 501 (phase 2). Match of "rx > > (?:^(?:application\\/x-www-form- > > urlencoded(?:;(?:\\s?charset\\s?=3D\\s?[\\w\\d\\- > > ]{1,18})?)?$|multipart/form-data;)|text/xml)" > > against "REQUEST_HEADERS:Content-Type" required. [id "960010"] [msg > > "Request content type is not allowed by policy"] [severity "WARNING"] > > Action: Intercepted (phase 2) > > Apache-Handler: php5-script > > Stopwatch: 1180536934009536 54864 (52176* 53266 -) > > Producer: ModSecurity v2.1.1 (Apache 2.x) > > Server: Apache/2.0.59 (cAos) > > > > --1b70c527-Z-- > > > > Another false positive - any tips? > > > > > > --6df04d0a-A-- > > [30/May/2007:15:59:53 +0100] PBSF4cCoPQIAAHwl6sQAAAAI XX.132.25.160 > > 50151 192.168.61.2 443 > > --6df04d0a-B-- > > POST /XXX/XXX.php HTTP/1.1 > > Host: www.py-soft.co.uk > > User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; > > en-US;rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 > > Accept: > > > text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/pla= > i > n; > > q=3D0.8,image/png,*/*;q=3D0.5 > > Accept-Language: en-us,en;q=3D0.5 > > Accept-Encoding: gzip,deflate > > Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7 > > Keep-Alive: 300 > > Connection: keep-alive > > Method: POST /XXX/XXX.php HTTP/1.1 > > Content-Type: application/x-www-form-urlencoded > > Referer: https://www.py-soft.co.uk/XXX/XXX/XXX.php > > Content-Length: 92 > > Cookie: XXX > > Pragma: no-cache > > Cache-Control: no-cache > > > > --6df04d0a-C-- > > > xajax=3DdoXMLHTTP&xajaxr=3D1180537198876&xajaxargs[]=3Dfelamimail.ajaxfel= amim > a > il > > .refreshFolderList > > --6df04d0a-F-- > > HTTP/1.1 400 Bad Request > > Content-Length: 308 > > Connection: close > > Content-Type: text/html; charset=3Diso-8859-1 > > > > --6df04d0a-H-- > > Message: Access denied with code 400 (phase 2). Pattern match > > "(?:\\bhttp.(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" at > > REQUEST_HEADERS:Method. [id "950911"] [msg "HTTP Response Splitting > > Attack. Matched signature <http/1.1>"] [severity "ALERT"] > > Action: Intercepted (phase 2) > > Apache-Handler: php5-script > > Stopwatch: 1180537193792993 70985 (44607* 69283 -) > > Producer: ModSecurity v2.1.1 (Apache 2.x) > > Server: Apache/2.0.59 (cAos) > > > > --6df04d0a-Z-- > > > > Another - any tips? > > > > I haven't had chance to read through the mod_security2 docs yet and > I'd > > be very grateful for any help. > > > > Take care, > > > > Ben > > > > > > > ----------------------------------------------------------------------- > - > - > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 > ----------------------------------------------------------------------- > -- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |