Hi Spork, This is really a standard and you should be able to find a solution online.
This is the radical approach, which makes it go away: SecRuleRemoveById 960009 Usually, I do not advocate RemoveById, but in this particular case I do it this way from time to time. Ahoj, Christian On Mon, Jul 18, 2016 at 07:48:11PM -0400, Spork Schivago wrote: > I hope this is the correct mailing list. I lease a virtual private server > (VPS) from GoDaddy and pay for cPanel. I see in > /usr/local/apache/logs/error_logs a lot of messages. This is a big one > that I see a lot of! > > [Mon Jul 18 19:19:34.821609 2016] [:error] [pid 6823] [client 127.0.0.1] > ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] > [line "317"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > [accuracy "9"] [tag "Host: "] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] > [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "franklin.jetbbs.com"] > [uri "/"] [unique_id "V41kBmjudWkAABqnkC4AAAAE"] > > > [Mon Jul 18 19:19:34.822806 2016] [:error] [pid 6823] [client 127.0.0.1] > ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. > [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/RESPONSE-80-CORRELATION.conf"] > [line "35"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total > Inbound Score: 5): Request Missing a User Agent Header"] [tag "Host: "] > [tag "event-correlation"] [hostname "franklin.jetbbs.com"] [uri > "/index.html"] [unique_id "V41kBmjudWkAABqnkC4AAAAE"] > > > [Mon Jul 18 19:20:01.427810 2016] [:error] [pid 6819] [client 127.0.0.1] > ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] > [line "283"] [id "960008"] [rev "2"] [msg "Request Missing a Host Header"] > [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] > [tag "Host: "] [tag "application-multi"] [tag "language-multi"] [tag > "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] > [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "franklin.jetbbs.com"] > [uri "/whm-server-status"] [unique_id "V41kIWjudWkAABqjYU0AAAAA"] > > > [Mon Jul 18 19:20:01.427892 2016] [:error] [pid 6819] [client 127.0.0.1] > ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] > [line "317"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > [accuracy "9"] [tag "Host: "] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] > [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "franklin.jetbbs.com"] > [uri "/whm-server-status"] [unique_id "V41kIWjudWkAABqjYU0AAAAA"] > > > [Mon Jul 18 19:20:01.428676 2016] [:error] [pid 6819] [client 127.0.0.1] > ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. > [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/RESPONSE-80-CORRELATION.conf"] > [line "35"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total > Inbound Score: 5): Request Missing a User Agent Header"] [tag "Host: "] > [tag "event-correlation"] [hostname "franklin.jetbbs.com"] [uri > "/whm-server-status"] [unique_id "V41kIWjudWkAABqjYU0AAAAA"] > > > [Mon Jul 18 19:20:34.546597 2016] [:error] [pid 6820] [client 127.0.0.1] > ModSecurity: Warning. Match of "pm AppleWebKit Android" against > "REQUEST_HEADERS:User-Agent" required. [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] > [line "299"] [id "960015"] [rev "3"] [msg "Request Missing an Accept > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > [accuracy "8"] [tag "Host: 127.0.0.1"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag > "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname > "127.0.0.1"] [uri "/whm-server-status"] [unique_id > "V41kQmjudWkAABqkc0UAAAAB"] > > > [Mon Jul 18 19:21:34.542318 2016] [:error] [pid 6821] [client 127.0.0.1] > ModSecurity: Warning. Match of "pm AppleWebKit Android" against > "REQUEST_HEADERS:User-Agent" required. [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] > [line "299"] [id "960015"] [rev "3"] [msg "Request Missing an Accept > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > [accuracy "8"] [tag "Host: 127.0.0.1"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag > "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname > "127.0.0.1"] [uri "/whm-server-status"] [unique_id > "V41kfmjudWkAABqlx7cAAAAC"] > > > [Mon Jul 18 19:22:34.564614 2016] [:error] [pid 6822] [client 127.0.0.1] > ModSecurity: Warning. Match of "pm AppleWebKit Android" against > "REQUEST_HEADERS:User-Agent" required. [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] > [line "299"] [id "960015"] [rev "3"] [msg "Request Missing an Accept > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > [accuracy "8"] [tag "Host: 127.0.0.1"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag > "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname > "127.0.0.1"] [uri "/whm-server-status"] [unique_id > "V41kumjudWkAABqmocAAAAAD"] > > > [Mon Jul 18 19:22:51.937856 2016] [:error] [pid 6823] [client > 169.54.244.75] ModSecurity: Warning. Operator EQ matched 0 at > REQUEST_HEADERS. [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] > [line "317"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > [accuracy "9"] [tag "Host: ip-104-238-117-105.ip.secureserver.net"] [tag > "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag > "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] > [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname > "ip-104-238-117-105.ip.secureserver.net"] [uri "/"] [unique_id > "V41ky2judWkAABqnkC8AAAAE"] > > > [Mon Jul 18 19:23:34.612950 2016] [:error] [pid 6819] [client 127.0.0.1] > ModSecurity: Warning. Match of "pm AppleWebKit Android" against > "REQUEST_HEADERS:User-Agent" required. [file > "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] > [line "299"] [id "960015"] [rev "3"] [msg "Request Missing an Accept > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > [accuracy "8"] [tag "Host: 127.0.0.1"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag > "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname > "127.0.0.1"] [uri "/whm-server-status"] [unique_id > "V41k9mjudWkAABqjYU4AAAAA"] > > > I believe this is a false positive. I talked to cPanel support and I > believe a cPanel script is checking /whm-server-status to make sure the > server is up but there's maybe something wrong with the request header in > the script or something. > > I'd like to safely figure out how to whitelist this, so I don't see the log > filled with these error messages whenever 127.0.0.1 tries connecting to > whm-server-status. I think the answer lies within > the /usr/local/apache/conf/modsec_vendor_configs/OWASP/ > rules/REQUEST-01-COMMON-EXCEPTIONS.conf file but I'm not sure how to > properly write a rule. Can someone show me what I'd need to put in there? > Thank you! > > Ken > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
