[Owasp-modsecurity-core-rule-set] CoreRules Beginner Question | Message: Operator GT matched 0 at ARGS_NAMES

Florian Lier florian.lier at uni-bielefeld.de
Tue Oct 5 12:21:18 EDT 2010


Hello all,

this is my first encounter with this mailing list and I
(probably) have a noobish question...

I'm running mod_security 2.5.11 on an Apache 2.x
WS with the 2.0.8 core rule set. The only webapp
which Apache serves is a freshly installed up-to-date
drupal 6.19.

After having the core rules installed and set the filter engine
on I'm experiencing weird logs in the audit_log like the following:

---------------------------------------

--e640b336-A--
[05/Oct/2010:18:00:49 +0200] TKtLsX8AAQEAAGMRAskAAAAB xxx.xxx.xxx.12 48772 192.168.1.4 80
--e640b336-B--
GET / HTTP/1.0
Host: fl0.xxx.xx
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Referer: http://fl0.ath.cx/
Cookie: SESSfed0fce205fc7295ffe987ef538e635b=39i0rkv38ov7e8l1atl3jjg5l4
If-Modified-Since: Tue, 05 Oct 2010 16:00:39 GMT
Via: 1.1 proxy (squid)
X-Forwarded-For: unknown
Cache-Control: max-age=259200
Connection: keep-alive

--e640b336-F--
HTTP/1.1 200 OK
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 16:00:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1867
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

--e640b336-H--
Message: Operator GT matched 0 at ARGS_NAMES. [file "/etc/apache2/conf.d/modsecurity/msconfs/base_rules/modsecurity_crs_62_my.conf"] [line "22"] [id "1"] [rev "2.0.8"] [msg "Argument name too long"] [severity "WARNING"]
Message: Operator GT matched 0 at ARGS. [file "/etc/apache2/conf.d/modsecurity/msconfs/base_rules/modsecurity_crs_62_my.conf"] [line "26"] [id "2"] [rev "2.0.8"] [msg "Argument value too long"] [severity "WARNING"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1286294449838083 140002 (1358 2902 -)
Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.14 (Ubuntu)

--e640b336-Z--

------------------------

"modsecurity_crs_62_my.conf" is basically a copy of "modsecurity_crs_23_request_limits.conf"  because I wanted to
experiment with that rule, actually I haven't changed anything
in both files. The same messages apply for several "css" files
which are requested by my client. 

The HTTP Policy Settings are the following:

------------------------

#
# -=[ HTTP Policy Settings ]=-
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.  
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives.  Uncomment the items you wish to set.
# 
## Maximum number of arguments in request limited
SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=500"

## Limit argument name length
SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=200"

## Limit value name length
SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"

## Limit arguments total length
SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"

## Individual file size is limited
SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"

## Combined file size is limited
SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"


----------------------


Can someone please explain to me what is happening here?
>From what I know atm, I think mod_sec complains about having
"0" arguments in the GET request? I have "googled" this of course,
but couldn't find any sufficient answer. I hope you guys can help me
out.

Cheers, Flo




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20101005/486a929d/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list