<div dir="ltr"><div><div>Hello!</div><div>Can some help about REQUEST-920-PROTOCOL-ENFORCEMENT.conf?</div><div>Used: modsecurity v3 from master, nginx 1.10.2, core rules from github</div><div><br></div><div>crs-setup.conf:</div><div>SecDefaultAction "phase:1,log,auditlog,pass"</div><div>SecDefaultAction "phase:2,log,auditlog,pass"</div><div>SecAction \</div><div>  "id:900000,\</div><div>   phase:1,\</div><div>   nolog,\</div><div>   pass,\</div><div>   t:none,\</div><div>   setvar:tx.paranoia_level=1"</div><div>SecAction \</div><div> "id:900110,\</div><div>  phase:1,\</div><div>  nolog,\</div><div>  pass,\</div><div>  t:none,\</div><div>  setvar:tx.inbound_anomaly_score_threshold=5,\</div><div>  setvar:tx.outbound_anomaly_score_threshold=4"</div><div>SecCollectionTimeout 600</div><div>SecAction \</div><div> "id:900990,\</div><div>  phase:1,\</div><div>  nolog,\</div><div>  pass,\</div><div>  t:none,\</div><div>  setvar:tx.crs_setup_version=302"</div><div><br></div><div><br></div><div>Log file have:</div><div><br></div><div>ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:Content-Length' (Value: `0' ) [file "/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "258"] [id "920180"] [rev "1"] [msg "POST request missing Content-Length Header."] [data "0"] [severity "4"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [ref "o0,4v0,4"]</div><div><br></div><div>ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter `1-255' against variable `REQUEST_HEADERS:Cookie' (Value: `JSESSIONID=XXXXXXXXXXXXXX; loggedin=true; hash=yyyyyyy; loggedUser=gggggg (781 characters omitted)' ) [file "/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "488"] [id "920270"] [rev "2"] [msg "Invalid character in request (null character)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref "o185,1o186,1o187,1o188,1o189,1o190,1o191,1o192,1o193,1o194,1o195,1o196,1o197,1o198,1o199,1o200,1o201,1o202,1o313,1o314,1o315,1o316,1o317,1o318,1o319,1o320,1o321,1o322,1o323,1o324,1o325,1o326,1o327,1o328,1o329,1o330,1o331,1o332,1o333,1o334,1o335,1o336,1o337,1o338,1o408,1o409,1o410,1o411,1o412,1o413,1v479,881t:urlDecodeUni"]</div><div><br></div><div>How understend this is log? How Write request to log?</div><div><br></div><div style="color:rgb(0,136,0);font-family:Menlo,"Bitstream Vera Sans Mono",Consolas,"Lucida Console","Courier New",Courier,monospace;font-size:14px;white-space:pre-wrap"><br></div>
<div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">
С уважением, Антон Пацев.<br><span>Best regards,</span> Anton Patsev.<br>

</div></div>
</div></div></div>