https://wiki.owasp.org/index.php?action=history&feed=atom&title=ModSecurity_CRS_RuleID-981227
ModSecurity CRS RuleID-981227 - Revision history
2026-04-27T20:20:56Z
Revision history for this page on the wiki
MediaWiki 1.27.2
https://wiki.owasp.org/index.php?title=ModSecurity_CRS_RuleID-981227&diff=110138&oldid=prev
Rcbarnett at 17:34, 9 May 2011
2011-05-09T17:34:36Z
<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 17:34, 9 May 2011</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l109" >Line 109:</td>
<td colspan="2" class="diff-lineno">Line 109:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''None known'''</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''None known'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div></td></tr></div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div></td></tr></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule <del class="diffchange diffchange-inline">Accuracy Level</del></td></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule <ins class="diffchange diffchange-inline">Maturity</ins></td></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div><td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ></div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div><td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>'''<del class="diffchange diffchange-inline">5</del>''' <br><del class="diffchange diffchange-inline">5 </del>point scale where:<br><del class="diffchange diffchange-inline">1 </del>= Beta/Experimental <del class="diffchange diffchange-inline">and</del>/<del class="diffchange diffchange-inline">or high number </del>of <del class="diffchange diffchange-inline">false positives reported</del><br>5 = <del class="diffchange diffchange-inline">Strong Rule and/or no </del>false positives reported</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>'''<ins class="diffchange diffchange-inline">0</ins>'''<br></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">10 </ins>point scale <ins class="diffchange diffchange-inline">(0-9) </ins>where:<br><ins class="diffchange diffchange-inline">0 </ins>= Beta/Experimental <ins class="diffchange diffchange-inline"><br>9 = Heavily Tested</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"><</ins>/<ins class="diffchange diffchange-inline">td></tr></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"><tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy</td></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"><td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">'''9'''<br></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">10 point scale (0-9) where:<br>0 = High % </ins>of <ins class="diffchange diffchange-inline">FP</ins><br>5 = <ins class="diffchange diffchange-inline">No </ins>false positives reported</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div></td></tr></div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div></td></tr></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div><tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td></div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div><tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td></div></td></tr>
</table>
Rcbarnett
https://wiki.owasp.org/index.php?title=ModSecurity_CRS_RuleID-981227&diff=110073&oldid=prev
Rcbarnett: Created page with "== Rule ID: 981227 == <table style="border-style:double;border-width:3px;" > <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase..."
2011-05-06T15:27:30Z
<p>Created page with "== Rule ID: 981227 == <table style="border-style:double;border-width:3px;" > <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase..."</p>
<p><b>New page</b></p><div>== Rule ID: 981227 ==<br />
<br />
<table style="border-style:double;border-width:3px;" ><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule ID</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
981227<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Message</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
Apache Error: Invalid URI in Request<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Summary</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
Identify Invalid URIs Blocked by Apache<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Impact</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
4 - Warning<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
<code><br />
SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "phase:5,t:none,log,pass,msg:'Apache Error: Invalid URI in Request',id:'981227',rev:'2.2.0',<br />
logdata:'%{matched_var}',severity:'4',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-<br />
sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},<br />
setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"</code><br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Detailed Rule Information</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
There are some request violations that Apache will handle internally, prior to the<br />
ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get<br />
visibility by running a check in phase:5 logging to look for the Apache error msg.<br />
<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Example Payload</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
Here is an example payloads taken from the access_log:<br />
<br />
127.0.0.1 - - [06/May/2011:11:22:24 -0400] "\tGET / HTTP/1.1" 400 226<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Example Audit Log Entry</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
Include an example ModSecurity Audit Log Entry for when this rule matchs.<br />
<pre><br />
--57ae6b4f-A--<br />
[06/May/2011:11:22:24 --0400] TcQSMMCoAWQAAKNEEHMAAAAA 127.0.0.1 62905 127.0.0.1 80<br />
--57ae6b4f-B--<br />
GET / HTTP/1.1<br />
Host: local<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br />
<br />
--57ae6b4f-F--<br />
HTTP/1.1 400 Bad Request<br />
Content-Length: 226<br />
Connection: close<br />
Content-Type: text/html; charset=iso-8859-1<br />
<br />
--57ae6b4f-E--<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><br />
<html><head><br />
<title>400 Bad Request</title><br />
</head><body><br />
<h1>Bad Request</h1><br />
<p>Your browser sent a request that this server could not understand.<br /><br />
</p><br />
</body></html><br />
<br />
--57ae6b4f-H--<br />
Message: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] <br />
[line "51"] [id "981227"] [rev "2.2.0"] [msg "Apache Error: Invalid URI in Request"] [data "[file \x22core.c\x22] [line 3504] [level 3] Invalid URI in request \x5c\x5ctGET / HTTP/1.1"] <br />
[severity "WARNING"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227"] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] <br />
[tag "RULE_CONFIDENCE_LEVEL/5"]<br />
Apache-Error: [file "core.c"] [line 3504] [level 3] Invalid URI in request \\tGET / HTTP/1.1<br />
Stopwatch: 1304695344229544 6998 (- - -)<br />
Stopwatch2: 1304695344229544 6998; combined=5474, p1=0, p2=0, p3=140, p4=4392, p5=942, sr=0, sw=0, l=0, gc=0<br />
Response-Body-Transformed: Dechunked<br />
Producer: ModSecurity for Apache/2.6.0-rc2 (http://www.modsecurity.org/); core ruleset/2.2.0.<br />
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2<br />
<br />
</pre><br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Attack Scenarios</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - <br />
http://projects.webappsec.org/Fingerprinting<br />
Other times, these are caused by poorly written web clients.<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Ease of Attack</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
Easy<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Ease of Detection</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
Easy with either regular expressions or by monitoring Apache error logging in phase:5<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Positives</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
'''None known'''<br><br />
If there are any known false positives - specify them here<br />
Also sign-up for the Reporting False Positives mail-list here:<br />
https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives<br />
<br><br />
Send FP Report emails here:<br><br />
mod-security-report-false-positives[[Image:Justat.gif|10x]]lists.sourceforge.net<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Negatives</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
'''None known'''<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy Level</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
'''5''' <br>5 point scale where:<br>1 = Beta/Experimental and/or high number of false positives reported<br>5 = Strong Rule and/or no false positives reported<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
Ryan Barnett - ryan.barnett[[Image:Justat.gif|10px]]owasp.org<br />
</td></tr><br />
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References</td><br />
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" ><br />
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1<br />
</td></tr><br />
</table><br />
[[Category:OWASP ModSecurity Core Rule Set Project]]</div>
Rcbarnett