[Owasp-modsecurity-core-rule-set] Is rule 958291 ("Range: field exists and begins with 0") really correct?

Thu, 08 Sep 2011 01:23:14 -0700 

Hi,

in a modsec_audit.log I find some blocked requests like

  Message: Access denied with code 403 (phase 2).
  [file " .../base_rules/modsecurity_crs_20_protocol_violations.conf"]
  [id "958291"] [rev "2.2.2"]
  [msg "Range: field exists and begins with 0."]
  [data "bytes=0-6134031"]
  [severity "NOTICE"]
  [tag "RULE_MATURITY/5"]
  [tag "RULE_ACCURACY/7"]
  [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-958291";]
  [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]
  [tag "http://www.bad-behavior.ioerror.us/documentation/how-it-works/";]

In modsecurity_crs_20_protocol_violations.conf one can find the 
according comments

  # 1. Range Header exists and begins with 0 - normal browsers don't do this.
  # Automated programs and bots often do not obey the HTTP RFC
  #
  # -=[ Rule Logic ]=-
  # This rule inspects the Range request header to see if it starts with 0.
  #
  # -=[ References ]=-
  # http://www.bad-behavior.ioerror.us/documentation/how-it-works/

Ok, I see on "my" server (offering FOSS software packages) often many 
"suspicious" overlapping byte-range requests (but always only one single 
byte-range per request; may be from bots or "tricky" download managers?) 
whose purpose I yet don't really understand. They lead summarized 
sometimes to a 10-100 times greater download volume compared to the size 
of the single downloaded package itself.

Nevertheless I don't understand the above rule.

At first view on the given reference page

  http://www.bad-behavior.ioerror.us/documentation/how-it-works/

I cannot find any related information.

But reading RFC2616 I found

  Examples of byte-content-range-spec values, assuming that the entity
  contains a total of 1234 bytes

   - The first 500 bytes:

   bytes 0-499/1234

   - All except for the first 500 bytes:

   bytes 500-1233/1234

So my question:

Is using a range request beginning with 0 really a RFC violation?
Use "normal" browsers really no range headers beginning with 0?
Or is the idea behind this rule that ""normal" browsers normally don't use 
byte-range requests and if yet than only ranges beginning with > 0
(for e.g. for resuming interrupted transfers)?

Regards

Jens
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to