ModSecurity CRS RuleID-960911

Rule
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "t:none,t:lowercase,phase:2,rev:'2.0.8',pass,nolog,auditlog,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"

Rule Summary
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
 * Validate request line against the format specified in the HTTP RFC
 * Uses rule negation against the regex for positive security. The regex specifies the proper construction of URI request lines such as:


 * It also outlines proper construction for CONNECT, OPTIONS and GET requests.

Impact
4- Warning.

Detailed Information
Provide detailed information about the rule construction such as:
 * Why the variable list specified was used
 * A description of the regular expression used - what is is looking for in plain english
 * What actions are used and why

Affected Software
If this attack only affects a specific piece of public software (if this is a virtual patch for a public disclosure) specify which info.

Attack Scenarios
Provide any data around "how" the attack is carried out.

Ease of Attack
How easy is it for an attacker to carry out the attack?

Ease of Detection
How easy is it for a defender to use ModSecurity to accurately detect this attack?

False Positives
If there are any known false positives - specify them here

False Negatives
Are there any know issues with evasions or how an attacker might bypass detection?

Corrective Action
Any tuning recommendations for the existing rule?

Contributors
Specify your name and email if you want credit for the rule or documentation of it.

Additional References
Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page).