ModSecurity CRS RuleID-981227

Rule ID: 981227
Detailed Rule Information  There are some request violations that Apache will handle internally, prior to the ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get visibility by running a check in phase:5 logging to look for the Apache error msg.

Example Payload  Here is an example payloads taken from the access_log:

127.0.0.1 - - [06/May/2011:11:22:24 -0400] "\tGET / HTTP/1.1" 400 226 Example Audit Log Entry  Include an example ModSecurity Audit Log Entry for when this rule matchs. --57ae6b4f-A-- [06/May/2011:11:22:24 --0400] TcQSMMCoAWQAAKNEEHMAAAAA 127.0.0.1 62905 127.0.0.1 80 --57ae6b4f-B-- GET / HTTP/1.1 Host: local User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

--57ae6b4f-F-- HTTP/1.1 400 Bad Request Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1

--57ae6b4f-E-- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 400 Bad Request Bad Request Your browser sent a request that this server could not understand.

--57ae6b4f-H-- Message: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "51"] [id "981227"] [rev "2.2.0"] [msg "Apache Error: Invalid URI in Request"] [data "[file \x22core.c\x22] [line 3504] [level 3] Invalid URI in request \x5c\x5ctGET / HTTP/1.1"] [severity "WARNING"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227"] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] [tag "RULE_CONFIDENCE_LEVEL/5"] Apache-Error: [file "core.c"] [line 3504] [level 3] Invalid URI in request \\tGET / HTTP/1.1 Stopwatch: 1304695344229544 6998 (- - -) Stopwatch2: 1304695344229544 6998; combined=5474, p1=0, p2=0, p3=140, p4=4392, p5=942, sr=0, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.6.0-rc2 (http://www.modsecurity.org/); core ruleset/2.2.0. Server: Apache/2.2.17 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2

Attack Scenarios  Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - http://projects.webappsec.org/Fingerprinting Other times, these are caused by poorly written web clients. Ease of Attack  Easy Ease of Detection  Easy with either regular expressions or by monitoring Apache error logging in phase:5 False Positives  None known If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives Send FP Report emails here: mod-security-report-false-positiveslists.sourceforge.net False Negatives  None known <td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy Level <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > 5 5 point scale where: 1 = Beta/Experimental and/or high number of false positives reported 5 = Strong Rule and/or no false positives reported <td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s) <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > Ryan Barnett - ryan.barnettowasp.org <td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1