Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Ofer Shezaf <OferS <at> Breach.com>
Subject: Re: mod_security rule id: 960911 question
Newsgroups: gmane.comp.apache.mod-security.user
Date: Monday 24th September 2007 07:50:21 UTC (over 10 years ago)
Another reason that this rule may trigger a lot is a client generating a
lot of HTTP 0.9 requests that do not have the version part at all. The
request would than look like:

GET /

Most notoriously, Apache internal pinger issues such a request
continuously against SSL sites which we haven't compensated for yet in
the core rule set.

~ Ofer 


Ofer Shezaf
[email protected], Phone:+972-9-9560036 #212, Cell: +972-54-4431119
CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule
Set Project;



> -----Original Message-----
> From: [email protected] [mailto:mod-
> [email protected]] On Behalf Of Brian
> Rectanus
> Sent: Monday, September 24, 2007 7:34 AM
> To: hanj
> Cc: [email protected]
> Subject: Re: [mod-security-users] mod_security rule id: 960911
question
> 
> It is a test for a proper HTTP request line.  What is the request line
> that generates the error?  Usually I see something like this that has
> extra spaces:
> 
> GET /some/path?a=val with spaces HTTP/1.1
> 
> which should have been:
> 
> GET /some/path?a=val%20with%20spaces HTTP/1.1
> 
> 
> The RE broken down and without the extra escapes from the logging:
> 
> ^[a-z]{3,10} - 3-10 character command at start
> \s* - whitespace
> (?:\w{3,7}?\:\/\/[\w\-\.\/]*)?? - non-greedy, optional
protocol://host/
> \/[\w\-\.\/~%:@&=+$,;]* - URI path
> (?:\?[\S]*)?? - non-greedy, optional query string
> \s* - whitespace
> http\/\d\.\d$ - HTTP version string at the end
> 
> later,
> -B
> 
> hanj wrote:
> > Hello
> >
> > I was wondering if someone could explain what this rule is about? I
> keep seeing lots of alerts for this, and I'm thinking they might be
> false positives.
> >
> > [Sun Sep 23 20:02:36 2007] [error] [client 69.xxx.xxx.xxx]
> ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^[a-
> z]{3,10}\\\\s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-
> \\\\.\\\\/]*)??\\\\/[\\\\w\\\\-
>
\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\\.\\\\d
> $" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP
> Request Line"] [severity "CRITICAL"] [hostname "www.mydomain.com"]
[uri
>
"/[object%20Image],[object%20Image],[object%20Image],[object%20Image]le
> ft2.gif"] [unique_id "A7VhiEE9nXMAAA26MjgAAAAB"]
> >
> > I'm running the following:
> > mod_security-2.1.2
> > apache-2.2.6
> >
> > Thanks!
> > hanj
> >
> >
---------------------------------------------------------------------
> ----
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2005.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > mod-security-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> 
> --
> Brian Rectanus
> Breach Security
> 
>
-----------------------------------------------------------------------
> --
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
 
CD: 4ms