That alert message means that the application generated a 500 level response code status. ModSecurity identified the status code and triggered a 403 code instead. The rationale for this is to hide errors from clients.
By the way, I suggest that you upgrade both ModSecurity (v2.5.13) and the CRS (v2.1.1). -- Ryan Barnett On Jan 18, 2011, at 10:48 AM, "[email protected]" <[email protected]> wrote: > > Hi all, > > I am using ModSecurity 2.5.12 and rule set 2.0.5. > > I always got an Access denied by "The application is not available" which > is a rule in modsecurity_crs_50_outbound.conf. > But i have no idea what is the root cause. > I wonder what does "The application is not available" mean? > > Here is my audit log: > > --0d946668-A-- > [14/Jan/2011:17:25:34 +0800] TTAWjX8AAAEAABnc54IAAAAa 202.74.105.113 57023 > 192.168.200.208 7900 > --0d946668-B-- > POST /abc/login HTTP/1.1 > Host: www.abc.com:7900 > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) > Gecko/20101203 Firefox/3.6.13 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-gb,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 115 > Connection: keep-alive > Referer: https://www.abc.com:7900/abc/abc.jsp?from=index.html > Cookie: JSESSIONID=0s000egfiufJPdDWiKYvMc_pfuVvs5cp3eprm > Content-Type: application/x-www-form-urlencoded > Content-Length: 16 > > --0d946668-C-- > javaversion=1.6.0 > --0d946668-F-- > HTTP/1.1 403 Forbidden > $WSEP: > Content-Length: 592 > Connection: close > Content-Type: text/html; charset=ISO-8859-1 > Content-Language: en-US > > --0d946668-E-- > > --0d946668-H-- > Message: Access denied with code 403 (phase 4). Operator GE matched 30 at > TX:outbound_anomaly_score. [file > "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_59_outbound_blocking.conf"] > [line "23"] [msg "Outbound Anomaly Score Exceeded (score 30): > The application is not available"] > Action: Intercepted (phase 4) > Stopwatch: 12949971335994583 105228 (489* 3294 -) > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core > ruleset/2.0.5. > Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a > > --0d946668-Z-- > > > Many Thanks!! > Jay > This e-mail is intended solely for the addressee. If you have received > this e-mail in error, please notify the sender by reply e-mail and > immediately delete it from your system. > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > mod-security-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
