On 3/20/14 11:13 AM, "Jamie Riden" <jamie.ri...@gmail.com> wrote:
>I'm no expert either, but it seems to be deciding this based on the >Apache response. That is correct. In this case, ModSecurty is alerting on Apache errors generated by other Apache modules. -Ryan > >If you disable mod_sec briefly, and re-send the request, what response >do you get? > >cheers, > Jamie > > >https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules >/modsecurity_crs_20_protocol_violations.conf ># ># Identify Invalid URIs Blocked by Apache ># ># -=[ Rule Logic ]=- ># ># There are some request violations that Apache will handle >internally, prior to the ># ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we >can still get ># visibility by running a check in phase:5 logging to look for the >Apache error msg. ># ># -=[ References ]=- ># >SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" \ > "msg:'Apache Error: Invalid URI in Request.', \ > severity:'4', \ > id:'981227', \ > ver:'OWASP_CRS/2.2.9', \ > rev:'1', \ > maturity:'9', \ > accuracy:'9', \ > logdata:'%{request_line}', \ > phase:5, \ > pass, \ > t:none, \ > tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \ > tag:'CAPEC-272', \ > setvar:'tx.msg=%{rule.msg}', \ > setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \ > >setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_v >ar_name}=%{matched_var}'" > >On 20 March 2014 15:02, Jamie Jackson <jamieja...@gmail.com> wrote: >> Hi Folks, >> >> I'm just getting started experimenting with the CRS, so I'm going to >>have a >> bunch of questions about some of the default rules. >> >> Here's the first: I can't spot a problem in the requested URI. (In >>fact, it >> looks typical to me.) Can you help me figure out what's triggering the >> warning? >> >> Thanks, >> Jamie >> >> --aa2d203d-A-- >> [20/Mar/2014:10:55:14 --0400] UysBUn8AAQEAACbzCEMAAAAK 127.0.0.1 53771 >> 127.0.0.1 443 >> --aa2d203d-B-- >> GET / HTTP/1.1 >> Host: local.mysite.info >> Connection: keep-alive >> Accept: >> >>text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0. >>8 >> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, >>like >> Gecko) Chrome/33.0.1750.146 Safari/537.36 >> Referer: https://local.mysite.info/ >> Accept-Encoding: gzip,deflate,sdch >> Accept-Language: en-US,en;q=0.8 >> Cookie: USERID=; USERHASH=; >> ORIGINALURLTOKEN=967683ED%2DD2D8%2D4EFB%2D8EA1F7D5E610EA74; >> MOBILEFORMAT=false; CFID=155102; CFTOKEN=61883191; >> >>CFAUTHORIZATION_cfadmin=YWRtaW4NNkFBQTRCN0IzNDQ4NTRFQzg0RDQzNEVBNjBDMkE1N >>DI1Qjk3QTQxQw1jZmFkbWlu; >> >>CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fdebugging%2Findex%2Ecfm >>; >> JSESSIONID=9830fde5266a22573ad64313382327227d5d; >> __utma=182783035.782843501.1395323759.1395323759.1395326921.2; >> __utmb=182783035.3.10.1395326921; __utmc=182783035; >> >>__utmz=182783035.1395323759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(n >>one) >> >> --aa2d203d-F-- >> HTTP/1.1 200 OK >> Content-Language: en-US >> Vary: Accept-Encoding >> Content-Encoding: gzip >> Keep-Alive: timeout=5, max=100 >> Connection: Keep-Alive >> Transfer-Encoding: chunked >> Content-Type: text/html; charset=UTF-8 >> >> --aa2d203d-E-- >> >> <snip> >> >> --aa2d203d-H-- >> Message: Warning. String match "Invalid URI in request" at >> WEBSERVER_ERROR_LOG. [file >> >>"/etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations. >>conf"] >> [line "82"] [id "981227"] [rev "1"] [msg "Apache Error: Invalid URI in >> Request."] [data "GET / HTTP/1.1"] [severity "WARNING"] [tag >> "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] >> Apache-Error: [file "core.c"] [line 3558] [level 3] Invalid URI in >>request >> GET / HTTP/1.1, referer: https://local.mysite.info/ >> Apache-Handler: jrun-handler >> Stopwatch: 1395327314069020 371594 (- - -) >> Stopwatch2: 1395327314069020 371594; combined=23196, p1=524, p2=11283, >> p3=38, p4=10878, p5=467, sr=154, sw=6, l=0, gc=0 >> Response-Body-Transformed: Dechunked >> Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); >> OWASP_CRS/2.2.9. >> Server: Apache/2.2.22 (Ubuntu) >> WebApp-Info: "default" "-" "" >> >> --aa2d203d-Z-- >> >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> > > > >-- >Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com >http://uk.linkedin.com/in/jamieriden >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >Owasp-modsecurity-core-rule-set@lists.owasp.org >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
