This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ModSecurity CRS RuleID-981227"

From OWASP
Jump to: navigation, search
(Created page with "== Rule ID: 981227 == <table style="border-style:double;border-width:3px;" > <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase...")
 
 
Line 109: Line 109:
 
'''None known'''
 
'''None known'''
 
</td></tr>
 
</td></tr>
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy Level</td>
+
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Maturity</td>
 
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
'''5''' <br>5 point scale where:<br>1 = Beta/Experimental and/or high number of false positives reported<br>5 = Strong Rule and/or no false positives reported
+
'''0'''<br>
 +
10 point scale (0-9) where:<br>0 = Beta/Experimental <br>9 = Heavily Tested
 +
</td></tr>
 +
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy</td>
 +
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 +
'''9'''<br>
 +
10 point scale (0-9) where:<br>0 = High % of FP<br>5 = No false positives reported
 
</td></tr>
 
</td></tr>
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td>
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td>

Latest revision as of 17:34, 9 May 2011

Rule ID: 981227

Rule ID

981227

Rule Message

Apache Error: Invalid URI in Request

Rule Summary

Identify Invalid URIs Blocked by Apache

Impact

4 - Warning

Rule

SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "phase:5,t:none,log,pass,msg:'Apache Error: Invalid URI in Request',id:'981227',rev:'2.2.0',
logdata:'%{matched_var}',severity:'4',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-
sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},
setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
Detailed Rule Information
There are some request violations that Apache will handle internally, prior to the
ModSecurity phase:1 POST-READ-REQUEST hook.  For these requests, we can still get
visibility by running a check in phase:5 logging to look for the Apache error msg.
Example Payload

Here is an example payloads taken from the access_log:

127.0.0.1 - - [06/May/2011:11:22:24 -0400] "\tGET / HTTP/1.1" 400 226
Example Audit Log Entry

Include an example ModSecurity Audit Log Entry for when this rule matchs.

--57ae6b4f-A--
[06/May/2011:11:22:24 --0400] TcQSMMCoAWQAAKNEEHMAAAAA 127.0.0.1 62905 127.0.0.1 80
--57ae6b4f-B--
        GET / HTTP/1.1
Host: local
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

--57ae6b4f-F--
HTTP/1.1 400 Bad Request
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

--57ae6b4f-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>

--57ae6b4f-H--
Message: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] 
[line "51"] [id "981227"] [rev "2.2.0"] [msg "Apache Error: Invalid URI in Request"] [data "[file \x22core.c\x22] [line 3504] [level 3] Invalid URI in request \x5c\x5ctGET / HTTP/1.1"] 
[severity "WARNING"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227"] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] 
[tag "RULE_CONFIDENCE_LEVEL/5"]
Apache-Error: [file "core.c"] [line 3504] [level 3] Invalid URI in request \\tGET / HTTP/1.1
Stopwatch: 1304695344229544 6998 (- - -)
Stopwatch2: 1304695344229544 6998; combined=5474, p1=0, p2=0, p3=140, p4=4392, p5=942, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.0-rc2 (http://www.modsecurity.org/); core ruleset/2.2.0.
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2

Attack Scenarios

Some malformed URIs are created on purpose as part of HTTP fingerprinting scans -

http://projects.webappsec.org/Fingerprinting

Other times, these are caused by poorly written web clients.

Ease of Attack

Easy

Ease of Detection

Easy with either regular expressions or by monitoring Apache error logging in phase:5

False Positives

None known
If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives
Send FP Report emails here:
mod-security-report-false-positives10xlists.sourceforge.net

False Negatives

None known

Rule Maturity

0
10 point scale (0-9) where:
0 = Beta/Experimental
9 = Heavily Tested

Rule Accuracy

9
10 point scale (0-9) where:
0 = High % of FP
5 = No false positives reported

Rule Documentation Contributor(s)

Ryan Barnett - ryan.barnettJustat.gifowasp.org

Additional References

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1