[Owasp-modsecurity-core-rule-set] CoreRules Beginner Question | Message: Operator GT matched 0 at ARGS_NAMES

Jamuse jamuse at gmail.com
Thu Oct 7 04:19:18 EDT 2010


Hi Flo,

Can you show us line 22 and 26 of modsecurity_crs_62_my.conf"?

--
 - Josh

On Tue, Oct 5, 2010 at 6:21 PM, Florian Lier
<florian.lier at uni-bielefeld.de>wrote:

> Hello all,
>
> this is my first encounter with this mailing list and I
> (probably) have a noobish question...
>
> I'm running mod_security 2.5.11 on an Apache 2.x
> WS with the 2.0.8 core rule set. The only webapp
> which Apache serves is a freshly installed up-to-date
> drupal 6.19.
>
> After having the core rules installed and set the filter engine
> on I'm experiencing weird logs in the audit_log like the following:
>
> ---------------------------------------
>
> --e640b336-A--
> [05/Oct/2010:18:00:49 +0200] TKtLsX8AAQEAAGMRAskAAAAB xxx.xxx.xxx.12 48772
> 192.168.1.4 80
> --e640b336-B--
> GET / HTTP/1.0
> Host: fl0.xxx.xx
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10)
> Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 115
> Referer: http://fl0.ath.cx/
> Cookie: SESSfed0fce205fc7295ffe987ef538e635b=39i0rkv38ov7e8l1atl3jjg5l4
> If-Modified-Since: Tue, 05 Oct 2010 16:00:39 GMT
> Via: 1.1 proxy (squid)
> X-Forwarded-For: unknown
> Cache-Control: max-age=259200
> Connection: keep-alive
>
> --e640b336-F--
> HTTP/1.1 200 OK
> Expires: Sun, 19 Nov 1978 05:00:00 GMT
> Last-Modified: Tue, 05 Oct 2010 16:00:49 GMT
> Cache-Control: store, no-cache, must-revalidate
> Cache-Control: post-check=0, pre-check=0
> Vary: Accept-Encoding
> Content-Encoding: gzip
> Content-Length: 1867
> Keep-Alive: timeout=15, max=98
> Connection: Keep-Alive
> Content-Type: text/html; charset=utf-8
>
> --e640b336-H--
> Message: Operator GT matched 0 at ARGS_NAMES. [file
> "/etc/apache2/conf.d/modsecurity/msconfs/base_rules/modsecurity_crs_62_my.conf"]
> [line "22"] [id "1"] [rev "2.0.8"] [msg "Argument name too long"] [severity
> "WARNING"]
> Message: Operator GT matched 0 at ARGS. [file
> "/etc/apache2/conf.d/modsecurity/msconfs/base_rules/modsecurity_crs_62_my.conf"]
> [line "26"] [id "2"] [rev "2.0.8"] [msg "Argument value too long"] [severity
> "WARNING"]
> Apache-Handler: application/x-httpd-php
> Stopwatch: 1286294449838083 140002 (1358 2902 -)
> Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/);
> core ruleset/2.0.8.
> Server: Apache/2.2.14 (Ubuntu)
>
> --e640b336-Z--
>
> ------------------------
>
> "modsecurity_crs_62_my.conf" is basically a copy of
> "modsecurity_crs_23_request_limits.conf"  because I wanted to
> experiment with that rule, actually I haven't changed anything
> in both files. The same messages apply for several "css" files
> which are requested by my client.
>
> The HTTP Policy Settings are the following:
>
> ------------------------
>
> #
> # -=[ HTTP Policy Settings ]=-
> # Set the following policy settings here and they will be propagated to the
> 23 rules
> # file (modsecurity_common_23_request_limits.conf) by using macro
> expansion.
> # If you run into false positives, you can adjust the settings here.
> #
> # Only the max number of args is uncommented by default as there are a high
> rate
> # of false positives.  Uncomment the items you wish to set.
> #
> ## Maximum number of arguments in request limited
> SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=500"
>
> ## Limit argument name length
> SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=200"
>
> ## Limit value name length
> SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"
>
> ## Limit arguments total length
> SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"
>
> ## Individual file size is limited
> SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
>
> ## Combined file size is limited
> SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"
>
>
> ----------------------
>
>
> Can someone please explain to me what is happening here?
> From what I know atm, I think mod_sec complains about having
> "0" arguments in the GET request? I have "googled" this of course,
> but couldn't find any sufficient answer. I hope you guys can help me
> out.
>
> Cheers, Flo
>
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20101007/bb7f853c/attachment-0005.html 


More information about the Owasp-modsecurity-core-rule-set mailing list