Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
--edb3cf77-A-- [21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-- GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-E-- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found.Internet Information Services (IIS) Technical Information (for support personnel) ... --edb3cf77-F-- HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive --edb3cf77-H-- Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id: 960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-Z-- Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org