ModSecurity Alert Management - OpenSource Training
ModSecurity Alert Management - OpenSource Training
ModSecurity Alert Management - OpenSource Training
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
--edb3cf77-A--<br />
[21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443<br />
--edb3cf77-B--<br />
GET /cart/ HTTP/1.1<br />
Connection: Keep-Alive<br />
Host: example.xom<br />
Pragma: no-cache<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*<br />
Accept-Language: en<br />
Accept-Charset: iso-8859-1,*,utf-8<br />
--edb3cf77-E--<br />
<br />
The page cannot be found<br />
<br />
<br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
<br />
<br />
The page cannot be found<br />
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.<br />
<br />
<br />
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.<br />
If you reached this page by clicking a link, contact<br />
the Web site administrator to alert them that the link is incorrectly formatted.<br />
<br />
Click the Back button to try another link.<br />
<br />
HTTP Error 404 - File or directory not found.Internet Information Services (IIS)<br />
<br />
Technical Information (for support personnel)<br />
...<br />
--edb3cf77-F--<br />
HTTP/1.1 404 Not Found<br />
Content-Length: 1635<br />
Content-Type: text/html<br />
Vary: Accept-Encoding<br />
Keep-Alive: timeout=15, max=55<br />
Connection: Keep-Alive<br />
--edb3cf77-H--<br />
Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header<br />
requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"]<br />
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score<br />
5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]<br />
Apache-Handler: proxy-server<br />
Stopwatch: 1256057413859166 67702 (355 47563 67008)<br />
Response-Body-Transformed: Dechunked<br />
Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1.<br />
Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g<br />
--edb3cf77-K--<br />
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"<br />
SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:<br />
960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ"<br />
SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"<br />
SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%<br />
{matched_var_name}=%{matched_var}"<br />
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"<br />
SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"<br />
SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"<br />
SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"<br />
SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"<br />
--edb3cf77-Z--<br />
Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org