[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: [mod-security-users] ctl:ruleRemoveTargetById won't work correctly
From: Ehsan Mahdavi <ehsan.mahdavi () gmail ! com>
Date: 2015-01-17 7:59:57
Message-ID: CAC7V=mxcHFVzzLof8Ye=D3bT-15hrHLdcxUfat2DEgEar1VsHQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Dear All, hi
For a specific URI and argument I don't want the rule 960209 to be fired.
The URI is : /fa/views/ajax
I think the argument
is: ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]
The rule 960209 checks argument name length. On my setting it will fire if
the length is greater than 100.
I wrote a rule like: SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2001,t:none,pass,ctl:ruleRemoveTargetById=
960209;ARGS_NAMES:ajax_page_state[js][sites/mysite/
modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]"
It is fired before the rule 960209 but won't work.
I highlighted these rules on my audit trial.
What is the problem?
Thanks in advance
--
regards
E.M
--VLegPn8AAAEAAFB4UbkAAAEB-A--
[15/Jan/2015:14:40:56 +0330] VLegPn8AAAEAAFB4UbkAAAEB 37.254.173.219 18552
176.101.52.98 80
--VLegPn8AAAEAAFB4UbkAAAEB-B--
POST /fa/views/ajax HTTP/1.1
Referer: http://mysite/fa/session-archivs
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.7,fa;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko
Host: mysite
Content-Length: 8050
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: has_js=1
--VLegPn8AAAEAAFB4UbkAAAEB-C--
field_session_date2_value%5Bmin%5D%5Bdate%5D=&field_session_date2_value%5Bmin%5D%5Bdat \
ex_edit_field_session_date2_value_min%5D=1393-10-25&field_session_date2_value%5Bmax%5D \
%5Bdate%5D=&field_session_date2_value%5Bmax%5D%5Bdatex_edit_field_session_date2_value_ \
max%5D=1393-10-25&view_name=session_news&view_display_id=page_2&view_args=&view_path=s \
ession-archivs&view_base_path=session-archivs&view_dom_id=597b60253f25979c3f6421ceff3d \
1f38&pager_element=0&ajax_html_ids%5B%5D=wrapper&ajax_html_ids%5B%5D=header&ajax_html_ \
ids%5B%5D=logofa&ajax_html_ids%5B%5D=slogan-fa&ajax_html_ids%5B%5D=uni-title&ajax_html \
_ids%5B%5D=department-fa&ajax_html_ids%5B%5D=dheader&ajax_html_ids%5B%5D=block-search- \
form&ajax_html_ids%5B%5D=search-block-form&ajax_html_ids%5B%5D=edit-search-block-form- \
-2&ajax_html_ids%5B%5D=edit-actions&ajax_html_ids%5B%5D=edit-submit&ajax_html_ids%5B%5 \
D=block-block-14&ajax_html_ids%5B%5D=main-menu&ajax_html_ids%5B%5D=container&ajax_html \
_ids%5B%5D=content&ajax_html_ids%5B%5D=breadcrumbs&ajax_html_ids%5B%5D=post-content&aj \
ax_html_ids%5B%5D=views-exposed-form-session-news-page-2&ajax_html_ids%5B%5D=edit-fiel \
d-session-date2-value-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-w \
rapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-inside-wrapper&ajax_html \
_ids%5B%5D=edit-field-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-d \
ate2-value-min-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-session-date2-value-m \
in-datex-edit-field-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-dat \
e2-value-max-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-inside-wra \
pper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-f \
ield-session-date2-value-max-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-session \
-date2-value-max-datex-edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-sub \
mit-session-news&ajax_html_ids%5B%5D=footer&ajax_html_ids%5B%5D=footer-area&ajax_html_ \
ids%5B%5D=block-block-15&ajax_html_ids%5B%5D=copyright&ajax_page_state%5Btheme%5D=prof \
essional_theme&ajax_page_state%5Btheme_token%5D=k8f9oKh7ItaD8TB5aAai0FjBBr5mLTnTdST58L \
PERsw&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base.css%5D=1&ajax_page_sta \
te%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bm \
odules%2Fsystem%2Fsystem.menus.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2F \
system.menus-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.message \
s.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.messages-rtl.css%5D=1& \
ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.theme.css%5D=1&ajax_page_state%5B \
css%5D%5Bmodules%2Fsystem%2Fsystem.theme-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc% \
2Fui%2Fjquery.ui.core.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.theme. \
css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.accordion.css%5D=1&ajax_page \
_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.datepicker.css%5D=1&ajax_page_state%5Bcss%5D%5 \
Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fjquery.timeentry.css%5D=1&ajax_p \
age_state%5Bcss%5D%5Bmodules%2Fcomment%2Fcomment.css%5D=1&ajax_page_state%5Bcss%5D%5Bm \
odules%2Fcomment%2Fcomment-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodul \
es%2Fdate%2Fdate_api%2Fdate.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules% \
2Fdate%2Fdate_api%2Fdate-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules \
%2Fdate%2Fdate_popup%2Fthemes%2Fdatepicker.1.7.css%5D=1&ajax_page_state%5Bcss%5D%5Bsit \
es%2Fall%2Fmodules%2Fdate-time-field%2Fcss%2Fsmoothness%2Fjquery-ui-1.8.14.custom.css% \
5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield.css%5D=1&ajax_page_sta \
te%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5B \
modules%2Fnode%2Fnode.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll%2Fpoll.css%5D \
=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll%2Fpoll-rtl.css%5D=1&ajax_page_state%5Bcss \
%5D%5Bmodules%2Fsearch%2Fsearch.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2 \
Fsearch-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fuser%2Fuser.css%5D=1&ajax_pa \
ge_state%5Bcss%5D%5Bmodules%2Fuser%2Fuser-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodu \
les%2Fforum%2Fforum.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum-rtl.cs \
s%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews.css%5D=1 \
&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews-rtl.css%5D=1&a \
jax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init \
.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Facc \
ordion_init-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2 \
Fckeditor.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2Fckedi \
tor-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fctools%2Fcss%2Fcto \
ols.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_m \
enus.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_ \
menus_default.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menu \
s%2Fnice_menus_default-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2 \
Fdatex%2Fdatex_popup%2Fdatex_popup.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fl \
ibraries%2Fjquery.calendars%2Fsmoothness.calendars.picker.css%5D=1&ajax_page_state%5Bc \
ss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle.css%5D=1&ajax_page_state%5Bcss%5D%5Bsit \
es%2Fmysite%2Fthemes%2Ffacu%2Fstyle-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bpublic%3A% \
2F%2Fcpn%2Fblock-14.css%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.js%5D=1&ajax_page \
_state%5Bjs%5D%5Bmisc%2Fjquery.once.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fdrupal.js \
%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.core.min.js%5D=1&ajax_page_state \
%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.widget.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fu \
i%2Fjquery.ui.accordion.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.cookie.js% \
5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.form.js%5D=1&ajax_page_state%5Bjs%5D%5Bmi \
sc%2Fui%2Fjquery.ui.datepicker.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmodules%2Flocale% \
2Flocale.datepicker.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fd \
ate_popup%2Fjquery.timeentry.pack.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fajax.js%5D= \
1&ajax_page_state%5Bjs%5D%5Bpublic%3A%2F%2Flanguages%2Ffa_BNMes1sG4z0w_DbIK9uy6lL3jNXw \
x-Job66BivlN1tA.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion \
_blocks%2Faccordion_init.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2F \
nice_menus%2Fsuperfish%2Fjs%2Fsuperfish.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysi \
te%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.bgiframe.min.js%5D=1&ajax_page_sta \
te%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.hoverInte \
nt.minified.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2F \
nice_menus.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fjs%2Fbase \
.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fprogress.js%5D=1&ajax_page_state%5Bjs%5D%5Bs \
ites%2Fall%2Fmodules%2Fviews%2Fjs%2Fajax_view.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites% \
2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.all.min.js%5D=1&ajax_page_stat \
e%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.lang.min.js% \
5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.cal \
endars.picker.lang.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjqu \
ery.calendars%2Fjquery.calendars.persian.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2 \
Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.persian-fa.js%5D=1&ajax_page_st \
ate%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fjs%2Fcustom.js%5D=1
--VLegPn8AAAEAAFB4UbkAAAEB-E--
--VLegPn8AAAEAAFB4UbkAAAEB-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.16
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 15 Jan 2015 10:16:58 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1421317018"
Content-Type: application/json; charset=utf-8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
--VLegPn8AAAEAAFB4UbkAAAEB-H--
Message: Warning. String match "/fa/views/ajax" at REQUEST_URI. [file
"/opt/modsec/facu/etc/active/11035.conf"] [line "3"] [id "2001"]
Message: Warning. String match "/fa/views/ajax" at REQUEST_URI. [file
"/opt/modsec/facu/etc/active/11035.conf"] [line "5"] [id "2002"]
*Message: Warning. Operator GT matched 100 at
ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js].
[file "/etc/modsecurity/23001.conf"] [line "23"] [id "960209"] [rev "2"]
[msg "Argument name too long"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/SIZE_LIMIT"]*
Message: Warning. Operator LT matched 9 at TX:inbound_anomaly_score. [file
"/etc/modsecurity/60001.conf"] [line "33"] [id "981203"] [msg "Inbound
Anomaly Score (Total Inbound Score: 2, SQLi=0, XSS=0): Argument name too
long"]
Apache-Handler: proxy-server
Stopwatch: 1421320254300902 1867389 (- - -)
Stopwatch2: 1421320254300902 1867389; combined=676477, p1=1617, p2=673800,
p3=7, p4=259, p5=568, sr=202, sw=226, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9. <http://2.2.0.9/>
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "DETECTION_ONLY"
--VLegPn8AAAEAAFB4UbkAAAEB-K--
SecAction
"phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_s \
core=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"
SecAction
"phase:1,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,se \
tvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"
SecAction
"phase:1,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=9,setvar:tx.outbound_anomaly_score_level=5,nolog,pass"
SecAction
"phase:1,id:900004,t:none,setvar:tx.anomaly_score_blocking=on,nolog,pass"
SecAction "phase:1,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass"
SecAction
"phase:1,id:900007,t:none,setvar:tx.arg_name_length=100,nolog,pass"
SecAction "phase:1,id:900008,t:none,setvar:tx.arg_length=400,nolog,pass"
SecAction
"phase:1,id:900009,t:none,setvar:tx.total_arg_length=64000,nolog,pass"
SecAction
"phase:1,id:900010,t:none,setvar:tx.max_file_size=1048576,nolog,pass"
SecAction
"phase:1,id:900011,t:none,setvar:tx.combined_file_sizes=1048576,nolog,pass"
SecAction "phase:1,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD
POST
OPTIONS',setvar:tx.allowed_request_content_type=application/json|application/x-amf|app \
lication/x-www-form-urlencoded|application/xml|multipart/form-data|text/xml,setvar:'tx.allowed_http_versions=HTTP/0.9
HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.dos/ .dll/ .cmd/ .cer/
.bat/ .bak/ .backup/ .dll/
.cer/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/',nolog,pass"
SecAction
"phase:1,id:900015,t:none,setvar:tx.dos_burst_time_slice=20,setvar:tx.dos_counter_threshold=60,setvar:tx.dos_block_timeout=300,nolog,pass"
SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$"
"phase:1,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"
SecRule "&TX:REAL_IP" "@eq 0"
"phase:1,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"
*SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2001,t:none,pass,ctl:ruleRemoveTargetById=960209;ARGS_NAMES:ajax_page_ \
state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]"*
SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2002,t:none,pass,ctl:ruleRemoveById=981173"
SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,log,msg:'POST request
missing Content-Length
Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,lo \
gdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
#SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
SecRule "&TX:MAX_FILE_SIZE" "@eq 1"
"phase:1,log,chain,t:none,block,msg:'Uploaded file size too
large',id:960342,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "REQUEST_HEADERS:Content-Type" "@beginsWith multipart/form-data"
"chain"
#SecRule "REQUEST_HEADERS:Content-Length" "@gt %{tx.max_file_size}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:1,log,chain,t:none,block,msg:'Request content type is not allowed by
policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY \
/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture"
#SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$"
"t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx
^(application\\/x-www-form-urlencoded|text\\/xml)(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$"
"phase:2,log,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'URL
Encoding Abuse Attack
Attempt',id:950108,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4"
SecRule "REQUEST_BODY|XML:/*" "@rx
\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
#SecRule "REQUEST_BODY|XML:/*" "@validateUrlEncoding "
"setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
"phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request
Missing an Accept
Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
#SecRule "&REQUEST_HEADERS:Accept" "@eq 0"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
"phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request
Has an Empty Accept
Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"
#SecRule "REQUEST_HEADERS:Accept" "@rx ^$"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
*SecRule "&TX:ARG_NAME_LENGTH" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Argument name too
long',id:960209,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"*
*SecRule "ARGS_NAMES" "@gt %{tx.arg_name_length}"
"t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id
<http://rule.id/>}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"*
SecRule "&TX:ARG_LENGTH" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Argument value too
long',id:960208,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "ARGS" "@gt %{tx.arg_length}"
"t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
Other non disruptive rules! <the complete audit trial is available as
attachment>
--VLegPn8AAAEAAFB4UbkAAAEB-Z--
[Attachment #5 (text/html)]
<div dir="ltr"><div><div dir="ltr"><div dir="ltr"><font color="#000000" \
style="color:rgb(0,0,0);font-size:13px">Dear All, hi</font><div \
style="color:rgb(0,0,0);font-size:13px"><br></div><div \
style="color:rgb(0,0,0);font-size:13px">For a specific URI and argument I don't \
want the rule 960209 to be fired.</div><div \
style="color:rgb(0,0,0);font-size:13px"><br></div><div \
style="color:rgb(0,0,0);font-size:13px">The URI is : /fa/views/ajax</div><div \
style="color:rgb(0,0,0);font-size:13px">I think the argument is: \
ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]</div><div \
style="color:rgb(0,0,0);font-size:13px"><br></div><div \
style="color:rgb(0,0,0);font-size:13px">The rule 960209 checks argument name length. \
On my setting it will fire if the length is greater than 100.</div><div \
style="color:rgb(0,0,0);font-size:13px"><br></div><div \
style="color:rgb(0,0,0);font-size:13px"><font color="#000000">I wrote a rule like: \
SecRule "REQUEST_URI" "@streq /fa/views/ajax" \
"phase:1,log,id:2001,t:none,</font><font \
color="#000000">pass,ctl:ruleRemoveTargetById=</font><font \
color="#000000">960209;ARGS_NAMES:ajax_page_</font><font \
color="#000000">state[js][sites/mysite/</font><font \
color="#000000">modules/nice_menus/superfish/</font><font \
color="#000000">js/jquery.hoverIntent.</font><font \
color="#000000">minified.js]"</font><br clear="all"><div><br></div><div>It is \
fired before the rule 960209 but won't work.</div><div><br></div><div>I \
highlighted these rules on my audit trial.</div><div><br></div><div>What is the \
problem?</div><div>Thanks in advance</div><div><br></div><div>-- <br></div><div><div \
dir="ltr"><div dir="ltr"><div style="color:rgb(136,136,136)"> \
regards<br> E.M</div><div \
style="color:rgb(136,136,136)"><br></div><div \
style="color:rgb(136,136,136)"><br></div><div><div><font \
color="#888888">--VLegPn8AAAEAAFB4UbkAAAEB-A--</font></div><div><font \
color="#888888">[15/Jan/2015:14:40:56 +0330] VLegPn8AAAEAAFB4UbkAAAEB 37.254.173.219 \
18552 176.101.52.98 80</font></div><div><font \
color="#888888">--VLegPn8AAAEAAFB4UbkAAAEB-B--</font></div><div><font \
color="#888888">POST /fa/views/ajax HTTP/1.1</font></div><div><font \
color="#888888">Referer: <a href="http://mysite/fa/session-archivs" target="_blank" \
style="text-decoration:none">http://mysite/fa/session-archivs</a></font></div><div><font \
color="#888888">Content-Type: \
application/x-www-form-urlencoded</font></div><div><font \
color="#888888">X-Requested-With: XMLHttpRequest</font></div><div><font \
color="#888888">Accept: application/json, text/javascript, */*; \
q=0.01</font></div><div><font color="#888888">Accept-Language: \
en-US,en;q=0.7,fa;q=0.3</font></div><div><font color="#888888">Accept-Encoding: gzip, \
deflate</font></div><div><font color="#888888">User-Agent: Mozilla/5.0 (Windows NT \
6.3; WOW64; Trident/7.0; rv:11.0) like Gecko</font></div><div><font \
color="#888888">Host: mysite</font></div><div><font color="#888888">Content-Length: \
8050</font></div><div><font color="#888888">DNT: 1</font></div><div><font \
color="#888888">Connection: Keep-Alive</font></div><div><font \
color="#888888">Cache-Control: no-cache</font></div><div><font \
color="#888888">Cookie: has_js=1</font></div><div><font \
color="#888888"><br></font></div><div><font \
color="#888888">--VLegPn8AAAEAAFB4UbkAAAEB-C--</font></div><div><font \
color="#888888">field_session_date2_value%5Bmin%5D%5Bdate%5D=&field_session_date2_ \
value%5Bmin%5D%5Bdatex_edit_field_session_date2_value_min%5D=1393-10-25&field_sess \
ion_date2_value%5Bmax%5D%5Bdate%5D=&field_session_date2_value%5Bmax%5D%5Bdatex_edi \
t_field_session_date2_value_max%5D=1393-10-25&view_name=session_news&view_disp \
lay_id=page_2&view_args=&view_path=session-archivs&view_base_path=session- \
archivs&view_dom_id=597b60253f25979c3f6421ceff3d1f38&pager_element=0&ajax_ \
html_ids%5B%5D=wrapper&ajax_html_ids%5B%5D=header&ajax_html_ids%5B%5D=logofa&a \
mp;ajax_html_ids%5B%5D=slogan-fa&ajax_html_ids%5B%5D=uni-title&ajax_html_ids%5 \
B%5D=department-fa&ajax_html_ids%5B%5D=dheader&ajax_html_ids%5B%5D=block-searc \
h-form&ajax_html_ids%5B%5D=search-block-form&ajax_html_ids%5B%5D=edit-search-b \
lock-form--2&ajax_html_ids%5B%5D=edit-actions&ajax_html_ids%5B%5D=edit-submit& \
amp;ajax_html_ids%5B%5D=block-block-14&ajax_html_ids%5B%5D=main-menu&ajax_html \
_ids%5B%5D=container&ajax_html_ids%5B%5D=content&ajax_html_ids%5B%5D=breadcrum \
bs&ajax_html_ids%5B%5D=post-content&ajax_html_ids%5B%5D=views-exposed-form-ses \
sion-news-page-2&ajax_html_ids%5B%5D=edit-field-session-date2-value-wrapper&aj \
ax_html_ids%5B%5D=edit-field-session-date2-value-min-wrapper&ajax_html_ids%5B%5D=e \
dit-field-session-date2-value-min-inside-wrapper&ajax_html_ids%5B%5D=edit-field-se \
ssion-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-datep \
icker-popup-0&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-datex-edit-fi \
eld-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-date2-value-max \
-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-inside-wrapper& \
;ajax_html_ids%5B%5D=edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-f \
ield-session-date2-value-max-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-ses \
sion-date2-value-max-datex-edit-field-session-date2-value-max&ajax_html_ids%5B%5D= \
edit-submit-session-news&ajax_html_ids%5B%5D=footer&ajax_html_ids%5B%5D=footer \
-area&ajax_html_ids%5B%5D=block-block-15&ajax_html_ids%5B%5D=copyright&aja \
x_page_state%5Btheme%5D=professional_theme&ajax_page_state%5Btheme_token%5D=k8f9oK \
h7ItaD8TB5aAai0FjBBr5mLTnTdST58LPERsw&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem% \
2Fsystem.base.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base-r \
tl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.menus.css%5D=1&am \
p;ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.menus-rtl.css%5D=1&ajax_pag \
e_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.messages.css%5D=1&ajax_page_state%5Bc \
ss%5D%5Bmodules%2Fsystem%2Fsystem.messages-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5 \
Bmodules%2Fsystem%2Fsystem.theme.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsys \
tem%2Fsystem.theme-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.c \
ore.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.theme.css%5D=1&a \
jax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.accordion.css%5D=1&ajax_page_state \
%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.datepicker.css%5D=1&ajax_page_state%5Bcss%5D%5Bs \
ites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fjquery.timeentry.css%5D=1&ajax \
_page_state%5Bcss%5D%5Bmodules%2Fcomment%2Fcomment.css%5D=1&ajax_page_state%5Bcss% \
5D%5Bmodules%2Fcomment%2Fcomment-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fa \
ll%2Fmodules%2Fdate%2Fdate_api%2Fdate.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2F \
all%2Fmodules%2Fdate%2Fdate_api%2Fdate-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsit \
es%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fdatepicker.1.7.css%5D=1&ajax_pag \
e_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate-time-field%2Fcss%2Fsmoothness%2Fjquery \
-ui-1.8.14.custom.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffi \
eld.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield-rtl.css%5D \
=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fnode%2Fnode.css%5D=1&ajax_page_state%5 \
Bcss%5D%5Bmodules%2Fpoll%2Fpoll.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll \
%2Fpoll-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2Fsearch.css%5D=1 \
&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2Fsearch-rtl.css%5D=1&ajax_page_s \
tate%5Bcss%5D%5Bmodules%2Fuser%2Fuser.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules% \
2Fuser%2Fuser-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum.css% \
5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum-rtl.css%5D=1&ajax_page \
_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews.css%5D=1&ajax_page_s \
tate%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews-rtl.css%5D=1&ajax_page \
_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init.css%5D= \
1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordi \
on_init-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2 \
Fckeditor.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2Fc \
keditor-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fctools%2Fc \
ss%2Fctools.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_me \
nus%2Fnice_menus.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fni \
ce_menus%2Fnice_menus_default.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2 \
Fmodules%2Fnice_menus%2Fnice_menus_default-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5 \
Bsites%2Fall%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.css%5D=1&ajax_page_stat \
e%5Bcss%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fsmoothness.calendars.picker. \
css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle.css%5D= \
1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle-rtl.css%5D=1&a \
mp;ajax_page_state%5Bcss%5D%5Bpublic%3A%2F%2Fcpn%2Fblock-14.css%5D=1&ajax_page_sta \
te%5Bjs%5D%5Bmisc%2Fjquery.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.once.js \
%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fdrupal.js%5D=1&ajax_page_state%5Bjs%5D% \
5Bmisc%2Fui%2Fjquery.ui.core.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjqu \
ery.ui.widget.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.accordio \
n.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.cookie.js%5D=1&ajax_page \
_state%5Bjs%5D%5Bmisc%2Fjquery.form.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2F \
jquery.ui.datepicker.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmodules%2Flocale%2Floca \
le.datepicker.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdat \
e_popup%2Fjquery.timeentry.pack.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fajax.js%5 \
D=1&ajax_page_state%5Bjs%5D%5Bpublic%3A%2F%2Flanguages%2Ffa_BNMes1sG4z0w_DbIK9uy6l \
L3jNXwx-Job66BivlN1tA.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2 \
Faccordion_blocks%2Faccordion_init.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysit \
e%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fsuperfish.js%5D=1&ajax_page_state%5Bjs \
%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.bgiframe.min.js% \
5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2 \
Fjs%2Fjquery.hoverIntent.minified.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite \
%2Fmodules%2Fnice_menus%2Fnice_menus.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall \
%2Fmodules%2Fviews%2Fjs%2Fbase.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fprogress.j \
s%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fjs%2Fajax_view.js \
%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquer \
y.calendars.all.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjq \
uery.calendars%2Fjquery.calendars.lang.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites \
%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.picker.lang.min.js%5D=1&a \
jax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars \
.persian.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.ca \
lendars%2Fjquery.calendars.persian-fa.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fal \
l%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fjs%2Fcustom.js%5D=1</font></div><div><font \
color="#888888">--VLegPn8AAAEAAFB4UbkAAAEB-E--</font></div><div><font \
color="#888888"><br></font></div><div><font \
color="#888888">--VLegPn8AAAEAAFB4UbkAAAEB-F--</font></div><div><font \
color="#888888">HTTP/1.1 200 OK</font></div><div><font color="#888888">X-Powered-By: \
PHP/5.4.16</font></div><div><font color="#888888">Expires: Sun, 19 Nov 1978 05:00:00 \
GMT</font></div><div><font color="#888888">Last-Modified: Thu, 15 Jan 2015 10:16:58 \
GMT</font></div><div><font color="#888888">Cache-Control: no-cache, must-revalidate, \
post-check=0, pre-check=0</font></div><div><font color="#888888">ETag: \
"1421317018"</font></div><div><font color="#888888">Content-Type: \
application/json; charset=utf-8</font></div><div><font color="#888888">Keep-Alive: \
timeout=5, max=100</font></div><div><font color="#888888">Connection: \
Keep-Alive</font></div><div><font color="#888888">Transfer-Encoding: \
chunked</font></div><div><font color="#888888"><br></font></div><div><font \
color="#888888">--VLegPn8AAAEAAFB4UbkAAAEB-H--</font></div><div><font \
color="#888888">Message: Warning. String match "/fa/views/ajax" at \
REQUEST_URI. [file "/opt/modsec/facu/etc/active/11035.conf"] [line \
"3"] [id "2001"]</font></div><div><font color="#888888">Message: \
Warning. String match "/fa/views/ajax" at REQUEST_URI. [file \
"/opt/modsec/facu/etc/active/11035.conf"] [line "5"] [id \
"2002"]</font></div><div><b>Message: Warning. Operator GT matched 100 at \
ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]. \
[file "/etc/modsecurity/23001.conf"] [line "23"] [id \
"960209"] [rev "2"] [msg "Argument name too long"] \
[severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity \
"9"] [accuracy "9"] [tag \
"OWASP_CRS/POLICY/SIZE_LIMIT"]</b></div><div><font color="#888888">Message: \
Warning. Operator LT matched 9 at TX:inbound_anomaly_score. [file \
"/etc/modsecurity/60001.conf"] [line "33"] [id \
"981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=0, \
XSS=0): Argument name too long"]</font></div><div><font \
color="#888888">Apache-Handler: proxy-server</font></div><div><font \
color="#888888">Stopwatch: 1421320254300902 1867389 (- - -)</font></div><div><font \
color="#888888">Stopwatch2: 1421320254300902 1867389; combined=676477, p1=1617, \
p2=673800, p3=7, p4=259, p5=568, sr=202, sw=226, l=0, gc=0</font></div><div><font \
color="#888888">Response-Body-Transformed: Dechunked</font></div><div><font \
color="#888888">Producer: ModSecurity for Apache/2.7.7 (<a \
href="http://www.modsecurity.org/" target="_blank" \
style="text-decoration:none">http://www.modsecurity.org/</a>); OWASP_CRS/<a \
href="http://2.2.0.9/" target="_blank" \
style="text-decoration:none">2.2.9.</a></font></div><div><font \
color="#888888">Server: Apache/2.4.7 (Ubuntu)</font></div><div><font \
color="#888888">Engine-Mode: "DETECTION_ONLY"</font></div><div><font \
color="#888888"><br></font></div><div><font \
color="#888888">--VLegPn8AAAEAAFB4UbkAAAEB-K--</font></div><div><font \
color="#888888">SecAction \
"phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anom \
aly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"</font></div><div><font \
color="#888888"><br></font></div><div><font color="#888888">SecAction \
"phase:1,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score \
=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"</font></div><div><font \
color="#888888"><br></font></div><div><font color="#888888">SecAction \
"phase:1,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=9,setvar:tx.outbound_anomaly_score_level=5,nolog,pass"</font></div><div><font \
color="#888888"><br></font></div><div><font color="#888888">SecAction \
"phase:1,id:900004,t:none,setvar:tx.anomaly_score_blocking=on,nolog,pass"</font></div><div><font \
<font face="yw-15a9bfd17914e0eda307a8c41932607546164d73-79766a0c9f605f357a56ec6ffab90271--o" \
style></font></div>
--089e010d852ec65244050cd44ebe--
["audit-event.rar" (application/rar)]
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic