mod-security-users

[mod-security-users] mod_security IE vs Firefox problem

[<rud...@ne...>]

Hi,
I'm a beginner using mod_security (Version 1.6.0 - 2008/02/19) with apache (apache2-2.0.59-1.17) on SLES9 SP4.
It works fine but in the modsec_audit log file there are messages. These messages will appear using Microsoft IE 8 (8.0.6001) at the beginning of the session. But after these Messages the application will work fine. The user will not be notified, there is no "403 Forbidden" message. But using Firefox (3,5 or 3.6) there are no Messages in the modsec_audit log file.
What ca I do to eliminate these messages?
The applicaation is secured by using server and client certificates.

----------------------------
--7a3b193e-A--
[27/Sep/2010:10:58:20 +0200] 7hzFKMCoMiAAAEqFHgEAAACD (my_ip) 3125 (server-ip) 443
--7a3b193e-B--
GET /appl/entry.do HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: de
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322)
Accept-Encoding: gzip, deflate
Host: 192.168.50.30
Connection: Keep-Alive

--7a3b193e-F--
HTTP/1.0 403 Forbidden
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: de

--7a3b193e-H--
Apache-Handler: type-map
Stopwatch: 1285577900868904 18601 (- - -)
Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core ruleset/1.6.0.
Server: Apache

--7a3b193e-K--

--7a3b193e-Z--
-------------------------------

Thanks a lot.

Bye
Rudi

Re: [mod-security-users] mod_security IE vs Firefox problem

[MARTIN, J. (ATTSI) <JM...@at...>]

SecAuditLogRelevantStatus controls that. I am guessing that it is
configured to log all 403's.  There might be a behavior difference
between firefox and ie such that IE submits a request sans-auth and gets
a 403 then submits the certificates, while perhaps firefox submits the
cert straight away. That's just a theory though.

-Jason Martin

-----Original Message-----
From: rud...@ne... [mailto:rud...@ne...] 
Sent: Monday, September 27, 2010 2:30 AM
To: mod...@li...
Subject: [mod-security-users] mod_security IE vs Firefox problem

Hi,
I'm a beginner using mod_security (Version 1.6.0 - 2008/02/19) with
apache (apache2-2.0.59-1.17) on SLES9 SP4.
It works fine but in the modsec_audit log file there are messages. These
messages will appear using Microsoft IE 8 (8.0.6001) at the beginning of
the session. But after these Messages the application will work fine.
The user will not be notified, there is no "403 Forbidden" message. But
using Firefox (3,5 or 3.6) there are no Messages in the modsec_audit log
file.
What ca I do to eliminate these messages?
The applicaation is secured by using server and client certificates.

----------------------------
--7a3b193e-A--
[27/Sep/2010:10:58:20 +0200] 7hzFKMCoMiAAAEqFHgEAAACD (my_ip) 3125
(server-ip) 443
--7a3b193e-B--
GET /appl/entry.do HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/xaml+xml,
application/vnd.ms-xpsdocument, application/x-ms-xbap,
application/x-ms-application, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: de
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR
3.0.04506.648; .NET CLR 1.1.4322)
Accept-Encoding: gzip, deflate
Host: 192.168.50.30
Connection: Keep-Alive

--7a3b193e-F--
HTTP/1.0 403 Forbidden
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: de

--7a3b193e-H--
Apache-Handler: type-map
Stopwatch: 1285577900868904 18601 (- - -)
Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/);
core ruleset/1.6.0.
Server: Apache

--7a3b193e-K--

--7a3b193e-Z--
-------------------------------

Thanks a lot.

Bye
Rudi


------------------------------------------------------------------------
------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html