[Owasp-modsecurity-core-rule-set] Question about REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Пацев Антон patsev.anton at gmail.com
Thu Jul 27 11:16:25 UTC 2017


Hello!
Can some help about REQUEST-920-PROTOCOL-ENFORCEMENT.conf?
Used: modsecurity v3 from master, nginx 1.10.2, core rules from github

crs-setup.conf:
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
SecAction \
  "id:900000,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
   setvar:tx.paranoia_level=1"
SecAction \
 "id:900110,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.inbound_anomaly_score_threshold=5,\
  setvar:tx.outbound_anomaly_score_threshold=4"
SecCollectionTimeout 600
SecAction \
 "id:900990,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_setup_version=302"


Log file have:

ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against
variable `REQUEST_HEADERS:Content-Length' (Value: `0' ) [file
"/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "258"] [id
"920180"] [rev "1"] [msg "POST request missing Content-Length Header."]
[data "0"] [severity "4"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy
"9"] [tag "application-multi"] [tag "language-multi"] [tag
"platform-multi"] [tag "attack-protocol"] [tag
"OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [ref
"o0,4v0,4"]

ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter
`1-255' against variable `REQUEST_HEADERS:Cookie' (Value:
`JSESSIONID=XXXXXXXXXXXXXX; loggedin=true; hash=yyyyyyy; loggedUser=gggggg
(781 characters omitted)' ) [file
"/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "488"] [id
"920270"] [rev "2"] [msg "Invalid character in request (null character)"]
[data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy
"9"] [tag "application-multi"] [tag "language-multi"] [tag
"platform-multi"] [tag "attack-protocol"] [tag
"OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref
"o185,1o186,1o187,1o188,1o189,1o190,1o191,1o192,1o193,1o194,1o195,1o196,1o197,1o198,1o199,1o200,1o201,1o202,1o313,1o314,1o315,1o316,1o317,1o318,1o319,1o320,1o321,1o322,1o323,1o324,1o325,1o326,1o327,1o328,1o329,1o330,1o331,1o332,1o333,1o334,1o335,1o336,1o337,1o338,1o408,1o409,1o410,1o411,1o412,1o413,1v479,881t:urlDecodeUni"]

How understend this is log? How Write request to log?



-- 
С уважением, Антон Пацев.
Best regards, Anton Patsev.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20170727/febd9a06/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list