ModSecurity Alert Management - OpenSource Training
ModSecurity Alert Management - OpenSource Training
ModSecurity Alert Management - OpenSource Training
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/<br />
modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-<br />
Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/<br />
modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or<br />
HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires<br />
Cache-Control Header for HTTP/1.1 requests.',severity:5,id:960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=<br />
+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request<br />
Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:<br />
2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:<br />
2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %<br />
{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org