I'm using Mod security 2.6 with ruleset/2.2.5 on apache 2.4 , Section H of all logs appearing in the audit log ends with the below lines ,Please see section H below .
Message: Failed to write to DBM file "/cust/apache/httpd-2.4.3/httpd-2.4.3/modsecurity/crs/cif/global": Invalid argument Apache-Error: [file "mod_rewrite.c"] [line 467] [level 9] %s ( multiple times) Any thoughts on what these mean and how they can be avoided ? --a222e376-H-- Message: Warning. String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "221"] [id "960020"] [rev "2.2.5"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "RULE_MATURITY/5"] [tag "RULE_ACCURACY/7"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960020";] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "http://www.bad-behavior.ioerror.us/documentation/how-it-works/";] Message: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){4,}<file:///\\)\-\+\=\%7b\%7d\%5b\%5d\|\:\;\%22\'\xc2\xb4\xe2\x80\x99\xe2\x80\x98\%60\%3c\%3e%5d.*)%7b4,%7d>" at ARGS:ssn1. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data ">"] Message: Warning. Pattern match "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2 ..." at ARGS:ssn1. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "\x22><iMg S"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] Message: Warning. Pattern match "\\bsrc\\b\\W*?\\bvbscript:<file:///\\bsrc\b\W*%3f\bvbscript:>" at ARGS:ssn1. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "103"] [id "958033"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "src=vbscript:"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] Message: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:ssn1. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "<img "] Message: Warning. Pattern match "\\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=<file:///\\b(background|dynsrc|href|lowsrc|src)\b\W*%3f=>" at ARGS:ssn1. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "588"] [id "973304"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "src="] Message: Warning. Pattern match "(asfunction|javascript|vbscript|data|mocha|livescript):" at ARGS:ssn1. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "606"] [id "973305"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "vbscript:"] Message: Warning. Pattern match "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\'\<file:///\\'][%20]*(([%5ea-z0-9~_:\'\>" ])|(in)).+?\\(.*?\\))" at ARGS:ssn1. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "765"] [id "973335"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "\x22><iMg SrC=vBsCrIpT:MsgBox(63346)"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 35, SQLi=2, XSS=25): IE XSS Filters - Attack Detected"] Message: Failed to write to DBM file "/cust/apache/httpd-2.4.3/httpd-2.4.3/modsecurity/crs/cif/global": Invalid argument Apache-Error: [file "mod_rewrite.c"] [line 467] [level 9] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s Apache-Error: [file "mod_rewrite.c"] [line 467] [level 8] %s Apache-Error: [file "proxy_util.c"] [line 1792] [level 9] %s: found worker %s for %s Apache-Error: [file "mod_proxy.c"] [line 1070] [level 7] AH01143: Running scheme %s handler (attempt %d) Apache-Error: [file "proxy_util.c"] [line 2030] [level 7] AH00944: connecting %s to %s:%d Apache-Error: [file "proxy_util.c"] [line 2152] [level 7] AH00947: connected %s to %s:%d Apache-Handler: proxy-server Stopwatch: 1354657503037214 99334 (- - -) Stopwatch2: 1354657503037214 99334; combined=62623, p1=4965, p2=31299, p3=271, p4=23967, p5=1828, sr=4183, sw=293, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.6.8 (http://www.modsecurity.org/); core ruleset/2.2.5. Server: Apache WebApp-Info: "default" "E9BA05953DB7550EDE5B2243B52E0122" "" Barclaycard www.barclaycardus.com This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
