Jens,
In the Bad Behavior rules there is a file called "common_tests.inc.php"
which has the following info -
// Range: field exists and begins with 0
// Real user-agents do not start ranges at 0
// NOTE: this blocks the whois.sc bot. No big loss.
// Exceptions: MT (not fixable); LJ (refuses to fix; may be
// blocked again in the future); Facebook
if ($settings['strict'] && array_key_exists('Range',
$package['headers_mixed']) && strpos($package['headers_mixed']['Range'],
"=0-") !== FALSE) {
if (strncmp($ua, "MovableType", 11) && strncmp($ua,
"URI::Fetch", 10) &&
strncmp($ua, "php-openid/", 11) && strncmp($ua, "facebookexternalhit",
19)) {
return "7ad04a8a";
}
}
So it seems that although this is legal per the RFC, it seems as though no
legitimate clients do this.
If you find this is not the case, please let us know and we will adjustthe
rule or you can simply remove the rule locally with an exception.
-Ryan
On 9/8/11 4:22 AM, "Jens Schleusener" <[email protected]> wrote:
>Hi,
>
>in a modsec_audit.log I find some blocked requests like
>
> Message: Access denied with code 403 (phase 2).
> [file " .../base_rules/modsecurity_crs_20_protocol_violations.conf"]
> [id "958291"] [rev "2.2.2"]
> [msg "Range: field exists and begins with 0."]
> [data "bytes=0-6134031"]
> [severity "NOTICE"]
> [tag "RULE_MATURITY/5"]
> [tag "RULE_ACCURACY/7"]
> [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-958291";]
> [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]
> [tag "http://www.bad-behavior.ioerror.us/documentation/how-it-works/";]
>
>In modsecurity_crs_20_protocol_violations.conf one can find the
>according comments
>
> # 1. Range Header exists and begins with 0 - normal browsers don't do
>this.
> # Automated programs and bots often do not obey the HTTP RFC
> #
> # -=[ Rule Logic ]=-
> # This rule inspects the Range request header to see if it starts with
>0.
> #
> # -=[ References ]=-
> # http://www.bad-behavior.ioerror.us/documentation/how-it-works/
>
>Ok, I see on "my" server (offering FOSS software packages) often many
>"suspicious" overlapping byte-range requests (but always only one single
>byte-range per request; may be from bots or "tricky" download managers?)
>whose purpose I yet don't really understand. They lead summarized
>sometimes to a 10-100 times greater download volume compared to the size
>of the single downloaded package itself.
>
>Nevertheless I don't understand the above rule.
>
>At first view on the given reference page
>
> http://www.bad-behavior.ioerror.us/documentation/how-it-works/
>
>I cannot find any related information.
>
>But reading RFC2616 I found
>
> Examples of byte-content-range-spec values, assuming that the entity
> contains a total of 1234 bytes
>
> - The first 500 bytes:
>
> bytes 0-499/1234
>
> - All except for the first 500 bytes:
>
> bytes 500-1233/1234
>
>So my question:
>
>Is using a range request beginning with 0 really a RFC violation?
>Use "normal" browsers really no range headers beginning with 0?
>Or is the idea behind this rule that ""normal" browsers normally don't
>use
>byte-range requests and if yet than only ranges beginning with > 0
>(for e.g. for resuming interrupted transfers)?
>
>Regards
>
>Jens
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>[email protected]
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
