[Owasp-modsecurity-core-rule-set] Range: field exists and begins with 0 - what does it mean?

Lucas Ferreira listas at sapao.net
Fri Jan 15 10:54:16 EST 2010


Hello Ryan,

I have several requests that seam to be from legit clients. The User
agents I collected are:

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR;
rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15
User-Agent: Mozilla/5.0 (compatible; YodaoBot/1.0;
http://www.youdao.com/help/webmaster/spider/; )
User-Agent: PuxaRapido v1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR;
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Here is a sample request that is similar to most requests from Firefox clients.

GET /404b.htm HTTP/1.1
Host: www.camara.gov.br
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR;
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: ASPSESSIONIDCARATCBB=KPNIALIBMKJDALOPNIOFIJMA;
ASPSESSIONIDAAQASDBB=CPBIALIBGCAIMECFHLAPIDFH
Range: bytes=0-
If-Range: "09ea6f7f2d9c21:4530"

Here is the request from YouDao:

GET /internet/midias/Radio/2008/05/rdflash20080512-VB-0001-mp3-028.mp3 HTTP/1.1
Accept-Language: zh-cn;q=1.0, zh-tw;q=0.8, en;q=0.5, *;q=0.1
If-Modified-Since: Thu, 15 Jan 1970 00:17:27 GMT
Range: bytes=0-511
Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0.1
Referer:
User-Agent: Mozilla/5.0 (compatible; YodaoBot/1.0;
http://www.youdao.com/help/webmaster/spider/; )
Host: imagem.camara.gov.br

Regards,

Lucas

On Fri, Jan 15, 2010 at 12:49, Ryan Barnett <ryan.barnett at breach.com> wrote:
> On Tuesday 12 January 2010 05:43:40 pm Dimitri Syuoul wrote:
>> Hello,
>>
>> Ive noticed that Ive gotten some triggers over rule ID 958291... I
>> tried googling for an explanation of this rule but I could not find
>> it. Anybody knwo what importance does this field exists and begins
>> with 0 is?
>>
>
> This rule was taken from the Bad Behavior package - http://www.bad-
> behavior.ioerror.us/documentation/how-it-works/
>
> This is part of the note for this rule -
>
>        // Range: field exists and begins with 0
>        // Real user-agents do not start ranges at 0
>
> When this rule triggers, can you confirm if the client is legit?
>
> -Ryan
>
>> crs-2.0.4/base_rules/modsecurity_crs_20_protocol_violations.conf:SecRule
>> REQUEST_HEADERS:Range "@contains =0-"
>> "phase:2,t:none,block,nolog,auditlog,msg:'Range: field exists and
>> begins with
>>  0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:
>> 'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violatio
>> n_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_v
>> ar_name}=%{matched_var}" crs-2.0.4/CHANGELOG:- Rule 958291 - Range: field
>>  exists and begins with 0.
>>
>>
>> Thanks
>>
>> Dimitri
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>



-- 
Homo sapiens non urinat in ventum.


More information about the Owasp-modsecurity-core-rule-set mailing list