ModSecurity Alert Management - OpenSource Training
ModSecurity Alert Management - OpenSource Training
ModSecurity Alert Management - OpenSource Training
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score<br />
(score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protoco
Change language