[Owasp-modsecurity-core-rule-set] Range: field exists and begins with 0 - what does it mean?
Ryan Barnett
ryan.barnett at breach.com
Fri Jan 15 09:49:08 EST 2010
On Tuesday 12 January 2010 05:43:40 pm Dimitri Syuoul wrote:
> Hello,
>
> Ive noticed that Ive gotten some triggers over rule ID 958291... I
> tried googling for an explanation of this rule but I could not find
> it. Anybody knwo what importance does this field exists and begins
> with 0 is?
>
This rule was taken from the Bad Behavior package - http://www.bad-
behavior.ioerror.us/documentation/how-it-works/
This is part of the note for this rule -
// Range: field exists and begins with 0
// Real user-agents do not start ranges at 0
When this rule triggers, can you confirm if the client is legit?
-Ryan
> crs-2.0.4/base_rules/modsecurity_crs_20_protocol_violations.conf:SecRule
> REQUEST_HEADERS:Range "@contains =0-"
> "phase:2,t:none,block,nolog,auditlog,msg:'Range: field exists and
> begins with
> 0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:
> 'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violatio
> n_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_v
> ar_name}=%{matched_var}" crs-2.0.4/CHANGELOG:- Rule 958291 - Range: field
> exists and begins with 0.
>
>
> Thanks
>
> Dimitri
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
More information about the Owasp-modsecurity-core-rule-set
mailing list