This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ModSecurity CRS RuleID-960911"

From OWASP
Jump to: navigation, search
(Rule ID: 906911)
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== Rule ID: 906911 ==
 
== Rule ID: 906911 ==
  
=== Rule Message: Invalid HTTP Request Line ===
+
<table style="border-style:double;border-width:3px;" >
 
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule ID</td>
=== Rule ===
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
906911
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Message</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
Invalid HTTP Request Line
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Summary</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
Validate request line against the format specified in the HTTP RFC
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Impact</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
4 - Warning
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
<code>
 
  SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
 
  SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
"t:none,t:lowercase,phase:2,rev:'2.0.8',pass,nolog,auditlog,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
    "phase:1,t:none,t:lowercase,block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',rev:'2.2.0',logdata:'%{request_line}',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"</code>
 
+
</td></tr>
=== Rule Summary ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Detailed Rule Information</td>
*Validate request line against the format specified in the HTTP RFC
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
+
*Uses rule negation against the regex for positive security.  The regex specifies the proper construction of URI request lines such as:
=== Impact ===
 
4- Warning.
 
 
 
=== Detailed Information ===
 
* Uses rule negation against the regex for positive security.  The regex specifies the proper construction of URI request lines such as:
 
 
  "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]  
 
  "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]  
 
*It also outlines proper construction for CONNECT, OPTIONS and GET requests.
 
*It also outlines proper construction for CONNECT, OPTIONS and GET requests.
 
+
<pre>
///  A description of the regular expression:
+
///  A description of the regular expression:
///   
+
///   
///  Beginning of line or string
+
///  Beginning of line or string
///  Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?]
+
///  Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?]
///      Select from 2 alternatives
+
///      Select from 2 alternatives
///          (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+
+
///          (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+
///              Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*]
+
///              Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*]
///                  Select from 3 alternatives
+
///                  Select from 3 alternatives
///                      [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
+
///                      [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
///                          Any character in this class: [a-z], between 3 and 10 repetitions
+
///                          Any character in this class: [a-z], between 3 and 10 repetitions
///                          Whitespace, one or more repetitions
+
///                          Whitespace, one or more repetitions
///                          Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions
+
///                          Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions
///                              \w{3,7}?://[\w\-\./]*(?::\d+)?
+
///                              \w{3,7}?://[\w\-\./]*(?::\d+)?
///                                  Alphanumeric, between 3 and 7 repetitions, as few as possible
+
///                                  Alphanumeric, between 3 and 7 repetitions, as few as possible
///                                  ://
+
///                                  ://
///                                  Any character in this class: [\w\-\./], any number of repetitions
+
///                                  Any character in this class: [\w\-\./], any number of repetitions
///                                  Match expression but don't capture it. [:\d+], zero or one repetitions
+
///                                  Match expression but don't capture it. [:\d+], zero or one repetitions
///                                      :\d+
+
///                                      :\d+
///                                          :
+
///                                          :
///                                          Any digit, one or more repetitions
+
///                                          Any digit, one or more repetitions
///                          /
+
///                          /
///                          Any character that is NOT in this class: [?#], any number of repetitions
+
///                          Any character that is NOT in this class: [?#], any number of repetitions
///                          Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
+
///                          Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
///                              \?[^#\s]*
+
///                              \?[^#\s]*
///                                  Literal ?
+
///                                  Literal ?
///                                  Any character that is NOT in this class: [#\s], any number of repetitions
+
///                                  Any character that is NOT in this class: [#\s], any number of repetitions
///                          Match expression but don't capture it. [#[\S]*], zero or one repetitions
+
///                          Match expression but don't capture it. [#[\S]*], zero or one repetitions
///                              #[\S]*
+
///                              #[\S]*
///                                  #
+
///                                  #
///                                  Any character in this class: [\S], any number of repetitions
+
///                                  Any character in this class: [\S], any number of repetitions
///                      connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
+
///                      connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
///                          connect
+
///                          connect
///                          Space
+
///                          Space
///                          Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions
+
///                          Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions
///                              \d{1,3}\.
+
///                              \d{1,3}\.
///                                  Any digit, between 1 and 3 repetitions
+
///                                  Any digit, between 1 and 3 repetitions
///                                  Literal .
+
///                                  Literal .
///                          Any digit, between 1 and 3 repetitions
+
///                          Any digit, between 1 and 3 repetitions
///                          Literal ., zero or one repetitions
+
///                          Literal ., zero or one repetitions
///                          Match expression but don't capture it. [:\d+], zero or one repetitions
+
///                          Match expression but don't capture it. [:\d+], zero or one repetitions
///                              :\d+
+
///                              :\d+
///                                  :
+
///                                  :
///                                  Any digit, one or more repetitions
+
///                                  Any digit, one or more repetitions
///                      options \*
+
///                      options \*
///                          options
+
///                          options
///                          Space
+
///                          Space
///                          Literal *
+
///                          Literal *
///              Whitespace, one or more repetitions
+
///              Whitespace, one or more repetitions
///              Any character in this class: [\w\./], one or more repetitions
+
///              Any character in this class: [\w\./], one or more repetitions
///          get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
+
///          get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
///              get
+
///              get
///              Space
+
///              Space
///              /
+
///              /
///              Any character that is NOT in this class: [?#], any number of repetitions
+
///              Any character that is NOT in this class: [?#], any number of repetitions
///              Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
+
///              Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
///                  \?[^#\s]*
+
///                  \?[^#\s]*
///                      Literal ?
+
///                      Literal ?
///                      Any character that is NOT in this class: [#\s], any number of repetitions
+
///                      Any character that is NOT in this class: [#\s], any number of repetitions
///              Match expression but don't capture it. [#[\S]*], zero or one repetitions
+
///              Match expression but don't capture it. [#[\S]*], zero or one repetitions
///                  #[\S]*
+
///                  #[\S]*
///                      #
+
///                      #
///                      Any character in this class: [\S], any number of repetitions
+
///                      Any character in this class: [\S], any number of repetitions
///  End of line or string
+
///  End of line or string
 
+
</pre>
=== Example Payload ===
+
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Example Payload</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
Here is an example payloads taken from HTTPrint (http://net-square.com/httprint/) that will trigger this rule.
 
Here is an example payloads taken from HTTPrint (http://net-square.com/httprint/) that will trigger this rule.
  
 
  127.0.0.1 - - [14/Sep/2010:11:51:43 -0400] "\x16\x03" 501 214 TI@aD8CoAWYAAAOFHNMAAACA
 
  127.0.0.1 - - [14/Sep/2010:11:51:43 -0400] "\x16\x03" 501 214 TI@aD8CoAWYAAAOFHNMAAACA
+
</td></tr>
=== Example Audit Log Entry ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Example Audit Log Entry</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
Include an example ModSecurity Audit Log Entry for when this rule matchs.
 
Include an example ModSecurity Audit Log Entry for when this rule matchs.
 +
<pre>
 +
--1167a167-A--
 +
[14/Sep/2010:11:51:43 --0400] TI@aD8CoAWYAAAOFHNMAAACA 127.0.0.1 51285 127.0.0.1 80
 +
--1167a167-B--
 +
^V^C
  
--1167a167-A--
+
--1167a167-F--
[14/Sep/2010:11:51:43 --0400] TI@aD8CoAWYAAAOFHNMAAACA 127.0.0.1 51285 127.0.0.1 80
 
--1167a167-B--
 
^V^C
 
 
--1167a167-F--
 
 
--1167a167-H--
 
Message: Match of "rx ^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$"
 
against "REQUEST_LINE" required. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "34"] [id "960911"] [rev "2.0.8"] [msg "Invalid HTTP Request Line"] [severity "WARNING"]
 
[tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"]
 
Apache-Error: [file "core.c"] [line 3773] [level 3] Invalid method in request \\x16\\x03
 
Stopwatch: 1284479503453580 43606 (4888 42377 -)
 
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
 
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2
 
 
--1167a167-Z--
 
  
=== Affected Software ===
+
--1167a167-H--
Different web server software may react differently to malformed URIs.
+
Message: Match of "rx ^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$"
 +
against "REQUEST_LINE" required. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "34"] [id "960911"] [rev "2.0.8"] [msg "Invalid HTTP Request Line"] [severity "WARNING"]
 +
[tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"]
 +
Apache-Error: [file "core.c"] [line 3773] [level 3] Invalid method in request \\x16\\x03
 +
Stopwatch: 1284479503453580 43606 (4888 42377 -)
 +
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
 +
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2
  
=== Attack Scenarios ===
+
--1167a167-Z--
 +
</pre>
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Attack Scenarios</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans -  
 
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans -  
http://projects.webappsec.org/Fingerprinting
+
http://projects.webappsec.org/Fingerprinting
 
 
 
Other times, these are caused by poorly written web clients.
 
Other times, these are caused by poorly written web clients.
 
+
</td></tr>
=== Ease of Attack ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Ease of Attack</td>
Easy.
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
+
Easy
=== Ease of Detection ===
+
</td></tr>
Easy with either regular expressions or by monitoring Apache error logging in phase:5.
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Ease of Detection</td>
 
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
=== False Positives ===
+
Easy with either regular expressions or by monitoring Apache error logging in phase:5
None known.
+
</td></tr>
 
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Positives</td>
=== False Negatives ===
+
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
None known.
+
'''None known'''<br>
 
+
If there are any known false positives - specify them here
=== Corrective Action  ===
+
Also sign-up for the Reporting False Positives mail-list here:
 
+
https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives
 
+
<br>
=== Contributors ===
+
Send FP Report emails here:<br>
Ryan Barnett
+
mod-security-report-false-positives[[Image:Justat.gif|10x]]lists.sourceforge.net
 
+
</td></tr>
=== Additional References ===
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Negatives</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
'''None known'''
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Maturity</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
'''8'''<br>
 +
10 point scale (0-9) where:<br>0 = Beta/Experimental <br>9 = Heavily Tested
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
'''8'''<br>
 +
10 point scale (0-9) where:<br>0 = High % of FP<br>5 = No false positives reported
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
Ryan Barnett - ryan.barnett[[Image:Justat.gif|10px]]owasp.org
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1
 
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1
 +
</td></tr>
 +
</table>
 +
[[Category:OWASP ModSecurity Core Rule Set Project]]

Latest revision as of 17:29, 9 May 2011

Rule ID: 906911

Rule ID

906911

Rule Message

Invalid HTTP Request Line

Rule Summary

Validate request line against the format specified in the HTTP RFC

Impact

4 - Warning

Rule

SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
   "phase:1,t:none,t:lowercase,block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',rev:'2.2.0',logdata:'%{request_line}',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
Detailed Rule Information
  • Uses rule negation against the regex for positive security. The regex specifies the proper construction of URI request lines such as:
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] 
  • It also outlines proper construction for CONNECT, OPTIONS and GET requests.
///  A description of the regular expression:
///  
///  Beginning of line or string
///  Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?]
///      Select from 2 alternatives
///          (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+
///              Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*]
///                  Select from 3 alternatives
///                      [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
///                          Any character in this class: [a-z], between 3 and 10 repetitions
///                          Whitespace, one or more repetitions
///                          Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions
///                              \w{3,7}?://[\w\-\./]*(?::\d+)?
///                                  Alphanumeric, between 3 and 7 repetitions, as few as possible
///                                  ://
///                                  Any character in this class: [\w\-\./], any number of repetitions
///                                  Match expression but don't capture it. [:\d+], zero or one repetitions
///                                      :\d+
///                                          :
///                                          Any digit, one or more repetitions
///                          /
///                          Any character that is NOT in this class: [?#], any number of repetitions
///                          Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
///                              \?[^#\s]*
///                                  Literal ?
///                                  Any character that is NOT in this class: [#\s], any number of repetitions
///                          Match expression but don't capture it. [#[\S]*], zero or one repetitions
///                              #[\S]*
///                                  #
///                                  Any character in this class: [\S], any number of repetitions
///                      connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
///                          connect
///                          Space
///                          Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions
///                              \d{1,3}\.
///                                  Any digit, between 1 and 3 repetitions
///                                  Literal .
///                          Any digit, between 1 and 3 repetitions
///                          Literal ., zero or one repetitions
///                          Match expression but don't capture it. [:\d+], zero or one repetitions
///                              :\d+
///                                  :
///                                  Any digit, one or more repetitions
///                      options \*
///                          options
///                          Space
///                          Literal *
///              Whitespace, one or more repetitions
///              Any character in this class: [\w\./], one or more repetitions
///          get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
///              get
///              Space
///              /
///              Any character that is NOT in this class: [?#], any number of repetitions
///              Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
///                  \?[^#\s]*
///                      Literal ?
///                      Any character that is NOT in this class: [#\s], any number of repetitions
///              Match expression but don't capture it. [#[\S]*], zero or one repetitions
///                  #[\S]*
///                      #
///                      Any character in this class: [\S], any number of repetitions
///  End of line or string
Example Payload

Here is an example payloads taken from HTTPrint (http://net-square.com/httprint/) that will trigger this rule.

127.0.0.1 - - [14/Sep/2010:11:51:43 -0400] "\x16\x03" 501 214 TI@aD8CoAWYAAAOFHNMAAACA
Example Audit Log Entry

Include an example ModSecurity Audit Log Entry for when this rule matchs.

--1167a167-A--
[14/Sep/2010:11:51:43 --0400] TI@aD8CoAWYAAAOFHNMAAACA 127.0.0.1 51285 127.0.0.1 80
--1167a167-B--
^V^C

--1167a167-F--

--1167a167-H--
Message: Match of "rx ^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" 
against "REQUEST_LINE" required. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "34"] [id "960911"] [rev "2.0.8"] [msg "Invalid HTTP Request Line"] [severity "WARNING"] 
[tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"]
Apache-Error: [file "core.c"] [line 3773] [level 3] Invalid method in request \\x16\\x03
Stopwatch: 1284479503453580 43606 (4888 42377 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2

--1167a167-Z--
Attack Scenarios

Some malformed URIs are created on purpose as part of HTTP fingerprinting scans -

http://projects.webappsec.org/Fingerprinting

Other times, these are caused by poorly written web clients.

Ease of Attack

Easy

Ease of Detection

Easy with either regular expressions or by monitoring Apache error logging in phase:5

False Positives

None known
If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives
Send FP Report emails here:
mod-security-report-false-positives10xlists.sourceforge.net

False Negatives

None known

Rule Maturity

8
10 point scale (0-9) where:
0 = Beta/Experimental
9 = Heavily Tested

Rule Accuracy

8
10 point scale (0-9) where:
0 = High % of FP
5 = No false positives reported

Rule Documentation Contributor(s)

Ryan Barnett - ryan.barnettJustat.gifowasp.org

Additional References

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1