Greetings,
My first time posting here.
I just yum installed mod_security on my RedHat 6.4 box.
I added the following to my httpd.conf:
<IfModule security2_module>
Include conf/crs/activated_rules/*.conf
SecAuditLog logs/mod_security_audit_log
</IfModule>
One of my tests is failing.
Any help will be greatly appreciated.
Below is the audit.
--6deb2369-A--
[01/Aug/2013:15:43:21 --0400] Ufq6WQrjAnkAABpYE54AAAAA 127.0.0.1 46939
127.0.0.1 443
--6deb2369-B--
POST /cgi-bin/upload/upload.php?upload_id=90241375386201-0 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Authorization: Basic OTAyNDEzNzUzODYyMDEtMDoxMjM0
Host: localhost
User-Agent: libwww-perl/5.833
Content-Length: 198
Content-Type: multipart/form-data; boundary=xYzZY
--6deb2369-F--
HTTP/1.1 401 Authorization Required
WWW-Authenticate: Basic realm="WH Upload"
Content-Length: 401
Connection: close
Content-Type: text/html; charset=iso-8859-1
--6deb2369-E--
--6deb2369-H--
Apache-Error: [file
"/builddir/build/BUILD/httpd-2.2.15/modules/aaa/mod_auth_basic.c"] [line
265] [level 3] user 90241375386201-0: authentication failure for
"/cgi-bin/upload/upload.php": Password Mismatch
Apache-Handler: cgi-script
Stopwatch: 1375386201575983 7325 (- - -)
Stopwatch2: 1375386201575983 7325; combined=1221, p1=847, p2=0, p3=1,
p4=263, p5=110, sr=110, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
OWASP_CRS/2.2.8.
Server: Apache
Engine-Mode: "ENABLED"
--6deb2369-Z--
--6deb2369-A--
[01/Aug/2013:15:43:21 --0400] Ufq6WQrjAnkAABpZF3cAAAAB 127.0.0.1 46940
127.0.0.1 443
--6deb2369-B--
POST /cgi-bin/upload/upload.php?upload_id=90241375386201-0 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Authorization: Basic OTAyNDEzNzUzODYyMDEtMDpsTmw3VndGWG4=
Host: localhost
User-Agent: libwww-perl/5.833
Content-Length: 132
Content-Type: multipart/form-data; boundary=xYzZY
47
48 --6deb2369-F--
49 HTTP/1.1 403 Forbidden
50 Content-Length: 227
51 Connection: close
52 Content-Type: text/html; charset=iso-8859-1
53
54 --6deb2369-E--
55
56 --6deb2369-H--
57 Message: Access denied with code 403 (phase 2). Operator EQ matched 0
at REQUEST_HEADERS. [file
"/etc/httpd/conf/crs/activated_rules/modsecurity_crs_21_protoc
ol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request
Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.8"]
[maturity "9"] [a ccuracy "9"] [tag
"OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
"WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
58 Action: Intercepted (phase 2)
59 Apache-Handler: application/x-httpd-php
60 Stopwatch: 1375386201617708 9166 (- - -)
61 Stopwatch2: 1375386201617708 9166; combined=1064, p1=833, p2=176,
p3=0, p4=0, p5=55, sr=95, sw=0, l=0, gc=0
62 Response-Body-Transformed: Dechunked
63 Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
OWASP_CRS/2.2.8.
64 Server: Apache
65 Engine-Mode: "ENABLED"
66
67 --6deb2369-J--
68 1,10,"1375386201.txt","<Unknown ContentType>"
69 Total,10
70
71 --6deb2369-Z--
72
73 --6deb2369-A--
74 [01/Aug/2013:15:43:21 --0400] Ufq6WQrjAnkAABpaGjYAAAAC 127.0.0.1
46941 127.0.0.1 443
75 --6deb2369-B--
76 POST /cgi-bin/upload/upload.php?upload_id=90241375386201-0 HTTP/1.1
77 TE: deflate,gzip;q=0.3
78 Connection: TE, close
79 Authorization: Basic OTAyNDEzNzUzODYyMDEtMDpsTmw3VndGWG4=
80 Host: localhost
81 User-Agent: libwww-perl/5.833
82 Content-Length: 132
83 Content-Type: multipart/form-data; boundary=xYzZY
84
85 --6deb2369-I--
86
87 --6deb2369-F--
88 HTTP/1.1 403 Forbidden
89 Content-Length: 227
90 Connection: close
91 Content-Type: text/html; charset=iso-8859-1
This email message is intended for the use of the person to whom it has been
sent, and may contain information that is confidential or legally protected. If
you are not the intended recipient or have received this message in error, you
are not authorized to copy, distribute, or otherwise use this message or its
attachments. Please notify the sender immediately by return e-mail and
permanently delete this message and any attachments. Verio Inc. makes no
warranty that this email is error or virus free. Thank you.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
