If you have any comments related to this rule (improvements, questions, etc…), please reply to this email thread.
For False Positives, please sign up for https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives Email the FP Report list here: [email protected]<mailto:[email protected]> Rule File: http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_20_protocol_violations.conf Current Rule: # # Validate request line against the format specified in the HTTP RFC # # -=[ Rule Logic ]=- # # Uses rule negation against the regex for positive security. The regex specifies the proper # construction of URI request lines such as: # # "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] # # It also outlines proper construction for CONNECT, OPTIONS and GET requests. # # -=[ References ]=- # https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "phase:1,t:none,t:lowercase,block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',rev:'2.2.0',logdata:'%{request_line}',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" Rule Documentation Page: https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
