The main purpose of those rules in the modsecurity_crs_21_protocol_anomalies.conf file are to identify non-browser clients. While the RFC says it is optional, all major browsers will send Host, User-Agent and Accept headers. So, if you get a request with a User-Agent value like this -
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:32.0) Gecko/20100101 Firefox/32.0 But is it missing an Accept header, then this client is spoofing their User-Agent information. These rules should probably not be configured to block on their own, however when running in an anomaly scoring mode, they can help to contribute to the overall transactional score for possible blocking. Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: "ronald.ploe...@bertelsmann.de<mailto:ronald.ploe...@bertelsmann.de>" <ronald.ploe...@bertelsmann.de<mailto:ronald.ploe...@bertelsmann.de>> Date: Tuesday, October 28, 2014 10:11 AM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Missing/Empty Accept Header Rule #960015 Hi, why does the core rule set check for a missing „Accept“ header? As far as I understand it is optional. See http://www.w3.org/Protocols/HTTP/HTRQ_Headers.html<http://scanmail.trustwave.com/?c=4062&d=wanP1Gd59E_yzvm6V2I7_mriayONTN5S_nOssxt7Dw&s=5&u=http%3a%2f%2fwww%2ew3%2eorg%2fProtocols%2fHTTP%2fHTRQ%5fHeaders%2ehtml> “If no Accept: field is present, then it is assumed that text/plain and text/html are accepted.” Thanks and best regards, Ronald ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
