This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ModSecurity CRS RuleID-960911"
(→Rule ID: 906911) |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 20: | Line 20: | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule</td> | ||
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
− | <code>SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ | + | <code> |
− | "t:none,t:lowercase, | + | SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ |
+ | "phase:1,t:none,t:lowercase,block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',rev:'2.2.0',logdata:'%{request_line}',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"</code> | ||
</td></tr> | </td></tr> | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Detailed Rule Information</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Detailed Rule Information</td> | ||
Line 139: | Line 140: | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Positives</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Positives</td> | ||
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
− | None known | + | '''None known'''<br> |
+ | If there are any known false positives - specify them here | ||
+ | Also sign-up for the Reporting False Positives mail-list here: | ||
+ | https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives | ||
+ | <br> | ||
+ | Send FP Report emails here:<br> | ||
+ | mod-security-report-false-positives[[Image:Justat.gif|10x]]lists.sourceforge.net | ||
</td></tr> | </td></tr> | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Negatives</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Negatives</td> | ||
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
− | None known | + | '''None known''' |
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Maturity</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | '''8'''<br> | ||
+ | 10 point scale (0-9) where:<br>0 = Beta/Experimental <br>9 = Heavily Tested | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | '''8'''<br> | ||
+ | 10 point scale (0-9) where:<br>0 = High % of FP<br>5 = No false positives reported | ||
</td></tr> | </td></tr> | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td> | ||
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
− | Ryan Barnett - | + | Ryan Barnett - ryan.barnett[[Image:Justat.gif|10px]]owasp.org |
</td></tr> | </td></tr> | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References</td> |
Latest revision as of 17:29, 9 May 2011
Rule ID: 906911
Rule ID |
906911 |
Rule Message |
Invalid HTTP Request Line |
Rule Summary |
Validate request line against the format specified in the HTTP RFC |
Impact |
4 - Warning |
Rule |
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "phase:1,t:none,t:lowercase,block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',rev:'2.2.0',logdata:'%{request_line}',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" |
Detailed Rule Information |
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
/// A description of the regular expression: /// /// Beginning of line or string /// Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?] /// Select from 2 alternatives /// (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+ /// Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*] /// Select from 3 alternatives /// [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)? /// Any character in this class: [a-z], between 3 and 10 repetitions /// Whitespace, one or more repetitions /// Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions /// \w{3,7}?://[\w\-\./]*(?::\d+)? /// Alphanumeric, between 3 and 7 repetitions, as few as possible /// :// /// Any character in this class: [\w\-\./], any number of repetitions /// Match expression but don't capture it. [:\d+], zero or one repetitions /// :\d+ /// : /// Any digit, one or more repetitions /// / /// Any character that is NOT in this class: [?#], any number of repetitions /// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions /// \?[^#\s]* /// Literal ? /// Any character that is NOT in this class: [#\s], any number of repetitions /// Match expression but don't capture it. [#[\S]*], zero or one repetitions /// #[\S]* /// # /// Any character in this class: [\S], any number of repetitions /// connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)? /// connect /// Space /// Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions /// \d{1,3}\. /// Any digit, between 1 and 3 repetitions /// Literal . /// Any digit, between 1 and 3 repetitions /// Literal ., zero or one repetitions /// Match expression but don't capture it. [:\d+], zero or one repetitions /// :\d+ /// : /// Any digit, one or more repetitions /// options \* /// options /// Space /// Literal * /// Whitespace, one or more repetitions /// Any character in this class: [\w\./], one or more repetitions /// get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)? /// get /// Space /// / /// Any character that is NOT in this class: [?#], any number of repetitions /// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions /// \?[^#\s]* /// Literal ? /// Any character that is NOT in this class: [#\s], any number of repetitions /// Match expression but don't capture it. [#[\S]*], zero or one repetitions /// #[\S]* /// # /// Any character in this class: [\S], any number of repetitions /// End of line or string |
Example Payload |
Here is an example payloads taken from HTTPrint (http://net-square.com/httprint/) that will trigger this rule. 127.0.0.1 - - [14/Sep/2010:11:51:43 -0400] "\x16\x03" 501 214 TI@aD8CoAWYAAAOFHNMAAACA |
Example Audit Log Entry |
Include an example ModSecurity Audit Log Entry for when this rule matchs. --1167a167-A-- [14/Sep/2010:11:51:43 --0400] TI@aD8CoAWYAAAOFHNMAAACA 127.0.0.1 51285 127.0.0.1 80 --1167a167-B-- ^V^C --1167a167-F-- --1167a167-H-- Message: Match of "rx ^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "34"] [id "960911"] [rev "2.0.8"] [msg "Invalid HTTP Request Line"] [severity "WARNING"] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] Apache-Error: [file "core.c"] [line 3773] [level 3] Invalid method in request \\x16\\x03 Stopwatch: 1284479503453580 43606 (4888 42377 -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8. Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2 --1167a167-Z-- |
Attack Scenarios |
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - http://projects.webappsec.org/Fingerprinting Other times, these are caused by poorly written web clients. |
Ease of Attack |
Easy |
Ease of Detection |
Easy with either regular expressions or by monitoring Apache error logging in phase:5 |
False Positives |
None known |
False Negatives |
None known |
Rule Maturity |
8 |
Rule Accuracy |
8 |
Rule Documentation Contributor(s) | |
Additional References |
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 |