I'm no expert either, but it seems to be deciding this based on the Apache response.
If you disable mod_sec briefly, and re-send the request, what response do you get? cheers, Jamie https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_20_protocol_violations.conf # # Identify Invalid URIs Blocked by Apache # # -=[ Rule Logic ]=- # # There are some request violations that Apache will handle internally, prior to the # ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get # visibility by running a check in phase:5 logging to look for the Apache error msg. # # -=[ References ]=- # SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" \ "msg:'Apache Error: Invalid URI in Request.', \ severity:'4', \ id:'981227', \ ver:'OWASP_CRS/2.2.9', \ rev:'1', \ maturity:'9', \ accuracy:'9', \ logdata:'%{request_line}', \ phase:5, \ pass, \ t:none, \ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \ tag:'CAPEC-272', \ setvar:'tx.msg=%{rule.msg}', \ setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" On 20 March 2014 15:02, Jamie Jackson <jamieja...@gmail.com> wrote: > Hi Folks, > > I'm just getting started experimenting with the CRS, so I'm going to have a > bunch of questions about some of the default rules. > > Here's the first: I can't spot a problem in the requested URI. (In fact, it > looks typical to me.) Can you help me figure out what's triggering the > warning? > > Thanks, > Jamie > > --aa2d203d-A-- > [20/Mar/2014:10:55:14 --0400] UysBUn8AAQEAACbzCEMAAAAK 127.0.0.1 53771 > 127.0.0.1 443 > --aa2d203d-B-- > GET / HTTP/1.1 > Host: local.mysite.info > Connection: keep-alive > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/33.0.1750.146 Safari/537.36 > Referer: https://local.mysite.info/ > Accept-Encoding: gzip,deflate,sdch > Accept-Language: en-US,en;q=0.8 > Cookie: USERID=; USERHASH=; > ORIGINALURLTOKEN=967683ED%2DD2D8%2D4EFB%2D8EA1F7D5E610EA74; > MOBILEFORMAT=false; CFID=155102; CFTOKEN=61883191; > CFAUTHORIZATION_cfadmin=YWRtaW4NNkFBQTRCN0IzNDQ4NTRFQzg0RDQzNEVBNjBDMkE1NDI1Qjk3QTQxQw1jZmFkbWlu; > CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fdebugging%2Findex%2Ecfm; > JSESSIONID=9830fde5266a22573ad64313382327227d5d; > __utma=182783035.782843501.1395323759.1395323759.1395326921.2; > __utmb=182783035.3.10.1395326921; __utmc=182783035; > __utmz=182783035.1395323759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) > > --aa2d203d-F-- > HTTP/1.1 200 OK > Content-Language: en-US > Vary: Accept-Encoding > Content-Encoding: gzip > Keep-Alive: timeout=5, max=100 > Connection: Keep-Alive > Transfer-Encoding: chunked > Content-Type: text/html; charset=UTF-8 > > --aa2d203d-E-- > > <snip> > > --aa2d203d-H-- > Message: Warning. String match "Invalid URI in request" at > WEBSERVER_ERROR_LOG. [file > "/etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf"] > [line "82"] [id "981227"] [rev "1"] [msg "Apache Error: Invalid URI in > Request."] [data "GET / HTTP/1.1"] [severity "WARNING"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] > Apache-Error: [file "core.c"] [line 3558] [level 3] Invalid URI in request > GET / HTTP/1.1, referer: https://local.mysite.info/ > Apache-Handler: jrun-handler > Stopwatch: 1395327314069020 371594 (- - -) > Stopwatch2: 1395327314069020 371594; combined=23196, p1=524, p2=11283, > p3=38, p4=10878, p5=467, sr=154, sw=6, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); > OWASP_CRS/2.2.9. > Server: Apache/2.2.22 (Ubuntu) > WebApp-Info: "default" "-" "" > > --aa2d203d-Z-- > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > -- Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com http://uk.linkedin.com/in/jamieriden _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
