[Owasp-modsecurity-core-rule-set] Range: field exists and begins with 0 - what does it mean?

Ryan Barnett ryan.barnett at breach.com
Fri Jan 15 09:49:08 EST 2010


On Tuesday 12 January 2010 05:43:40 pm Dimitri Syuoul wrote:
> Hello,
> 
> Ive noticed that Ive gotten some triggers over rule ID 958291... I
> tried googling for an explanation of this rule but I could not find
> it. Anybody knwo what importance does this field exists and begins
> with 0 is?
> 

This rule was taken from the Bad Behavior package - http://www.bad-
behavior.ioerror.us/documentation/how-it-works/

This is part of the note for this rule -

	// Range: field exists and begins with 0
	// Real user-agents do not start ranges at 0

When this rule triggers, can you confirm if the client is legit?

-Ryan

> crs-2.0.4/base_rules/modsecurity_crs_20_protocol_violations.conf:SecRule
> REQUEST_HEADERS:Range "@contains =0-"
> "phase:2,t:none,block,nolog,auditlog,msg:'Range: field exists and
> begins with
>  0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:
> 'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violatio
> n_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_v
> ar_name}=%{matched_var}" crs-2.0.4/CHANGELOG:- Rule 958291 - Range: field
>  exists and begins with 0.
> 
> 
> Thanks
> 
> Dimitri
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> 


More information about the Owasp-modsecurity-core-rule-set mailing list