On Thu, Dec 6, 2012 at 6:20 PM, Thayyilekandy, Subin < sthayyile...@barclaycardus.com> wrote:
> ** ** > > I’m using Mod security 2.6 with ruleset/2.2.5 on apache 2.4 , Section H of > all logs appearing in the audit log ends with the below lines ,Please see > section H below .**** > > ** ** > > ** ** > > *Message: Failed to write to DBM file > "/cust/apache/httpd-2.4.3/httpd-2.4.3/modsecurity/crs/cif/global": Invalid > argument* > > *Apache-Error: [file "mod_rewrite.c"] [line 467] [level 9] %s ( > multiple times) * > > ** ** > > Any thoughts on what these mean and how they can be avoided ?**** > > ** > Hi Subin, The SDBM library that ModSecurity uses for persistent collections has an arbitrary limit of 1008 bytes on the combined size of the key and record lengths. When you go over that limit, you get a cryptic error message like you reported above. You can increase that limit by recompiling APR and APR-util. I explained how here: http://www.purehacking.com/blogs/josh-zlatin/increasing-modsecurity-collection-size-limits -- - Josh > ** > > --a222e376-H--**** > > Message: Warning. String match "HTTP/1.1" at REQUEST_PROTOCOL. [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] > [line "221"] [id "960020"] [rev "2.2.5"] [msg "Pragma Header requires > Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag > "RULE_MATURITY/5"] [tag "RULE_ACCURACY/7"] [tag " > https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960020";] [tag > "PROTOCOL_VIOLATION/INVALID_HREQ"] [tag " > http://www.bad-behavior.ioerror.us/documentation/how-it-works/"]**** > > Message: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\( > \\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){4,}" > at ARGS:ssn1. [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character > Anomaly Detection Alert - Total # of special characters exceeded"] [data > ">"]**** > > Message: Warning. Pattern match > "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2 > ..." at ARGS:ssn1. [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass > attempts 2/3"] [data "\x22><iMg S"] [severity "CRITICAL"] [tag > "WEB_ATTACK/SQLI"]**** > > Message: Warning. Pattern match "\\bsrc\\b\\W*?\\bvbscript:" at > ARGS:ssn1. [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "103"] [id "958033"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) > Attack"] [data "src=vbscript:"] [severity "CRITICAL"] [tag > "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag > "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]**** > > Message: Warning. Pattern match > "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h > ..." at ARGS:ssn1. [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected > - HTML Tag Handler"] [data "<img "]**** > > Message: Warning. Pattern match " > \\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" at ARGS:ssn1. [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "588"] [id "973304"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data > "src="]**** > > Message: Warning. Pattern match > "(asfunction|javascript|vbscript|data|mocha|livescript):" at ARGS:ssn1. > [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "606"] [id "973305"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data > "vbscript:"]**** > > Message: Warning. Pattern match "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\'\" > ])|(in)).+?\\(.*?\\))" at ARGS:ssn1. [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "765"] [id "973335"] [rev "2.2.5"] [msg "IE XSS Filters - Attack > Detected"] [data "\x22><iMg SrC=vBsCrIpT:MsgBox(63346)"]**** > > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/cust/docs/config/dev03/cif/crs/base_rules/modsecurity_crs_60_correlation.conf"] > [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total > Inbound Score: 35, SQLi=2, XSS=25): IE XSS Filters - Attack Detected"]**** > > Message: Failed to write to DBM file > "/cust/apache/httpd-2.4.3/httpd-2.4.3/modsecurity/crs/cif/global": Invalid > argument**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 9] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 11] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 10] %s**** > > Apache-Error: [file "mod_rewrite.c"] [line 467] [level 8] %s**** > > Apache-Error: [file "proxy_util.c"] [line 1792] [level 9] %s: found worker > %s for %s**** > > Apache-Error: [file "mod_proxy.c"] [line 1070] [level 7] AH01143: Running > scheme %s handler (attempt %d)**** > > Apache-Error: [file "proxy_util.c"] [line 2030] [level 7] AH00944: > connecting %s to %s:%d**** > > Apache-Error: [file "proxy_util.c"] [line 2152] [level 7] AH00947: > connected %s to %s:%d**** > > Apache-Handler: proxy-server**** > > Stopwatch: 1354657503037214 99334 (- - -)**** > > Stopwatch2: 1354657503037214 99334; combined=62623, p1=4965, p2=31299, > p3=271, p4=23967, p5=1828, sr=4183, sw=293, l=0, gc=0**** > > Response-Body-Transformed: Dechunked**** > > Producer: ModSecurity for Apache/2.6.8 (http://www.modsecurity.org/); > core ruleset/2.2.5.**** > > Server: Apache**** > > WebApp-Info: "default" "E9BA05953DB7550EDE5B2243B52E0122" ""**** > > ** ** > > Barclaycard > > www.barclaycardus.com > > This email and any files transmitted with it may contain confidential > and/or proprietary information. It is intended solely for the use of the > individual or entity who is the intended recipient. Unauthorized use of > this information is prohibited. If you have received this in error, please > contact the sender by replying to this message and delete this material > from any system it may be on. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
