Difference between revisions of "ModSecurity CRS RuleID-981227"

Jump to: navigation, search
(Created page with "== Rule ID: 981227 == <table style="border-style:double;border-width:3px;" > <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase...")
Line 109: Line 109:
'''None known'''
'''None known'''
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy Level</td>
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Maturity</td>
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
'''5''' <br>5 point scale where:<br>1 = Beta/Experimental and/or high number of false positives reported<br>5 = Strong Rule and/or no false positives reported
10 point scale (0-9) where:<br>0 = Beta/Experimental <br>9 = Heavily Tested
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy</td>
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
10 point scale (0-9) where:<br>0 = High % of FP<br>5 = No false positives reported
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td>
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td>

Latest revision as of 12:34, 9 May 2011

Rule ID: 981227

Rule ID


Rule Message

Apache Error: Invalid URI in Request

Rule Summary

Identify Invalid URIs Blocked by Apache


4 - Warning


SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "phase:5,t:none,log,pass,msg:'Apache Error: Invalid URI in Request',id:'981227',rev:'2.2.0',
Detailed Rule Information
There are some request violations that Apache will handle internally, prior to the
ModSecurity phase:1 POST-READ-REQUEST hook.  For these requests, we can still get
visibility by running a check in phase:5 logging to look for the Apache error msg.
Example Payload

Here is an example payloads taken from the access_log: - - [06/May/2011:11:22:24 -0400] "\tGET / HTTP/1.1" 400 226
Example Audit Log Entry

Include an example ModSecurity Audit Log Entry for when this rule matchs.

[06/May/2011:11:22:24 --0400] TcQSMMCoAWQAAKNEEHMAAAAA 62905 80
        GET / HTTP/1.1
Host: local
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060909 Firefox/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

HTTP/1.1 400 Bad Request
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />

Message: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] 
[line "51"] [id "981227"] [rev "2.2.0"] [msg "Apache Error: Invalid URI in Request"] [data "[file \x22core.c\x22] [line 3504] [level 3] Invalid URI in request \x5c\x5ctGET / HTTP/1.1"] 
[severity "WARNING"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227"] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] 
Apache-Error: [file "core.c"] [line 3504] [level 3] Invalid URI in request \\tGET / HTTP/1.1
Stopwatch: 1304695344229544 6998 (- - -)
Stopwatch2: 1304695344229544 6998; combined=5474, p1=0, p2=0, p3=140, p4=4392, p5=942, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.0-rc2 (http://www.modsecurity.org/); core ruleset/2.2.0.
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2

Attack Scenarios

Some malformed URIs are created on purpose as part of HTTP fingerprinting scans -


Other times, these are caused by poorly written web clients.

Ease of Attack


Ease of Detection

Easy with either regular expressions or by monitoring Apache error logging in phase:5

False Positives

None known
If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives
Send FP Report emails here:

False Negatives

None known

Rule Maturity

10 point scale (0-9) where:
0 = Beta/Experimental
9 = Heavily Tested

Rule Accuracy

10 point scale (0-9) where:
0 = High % of FP
5 = No false positives reported

Rule Documentation Contributor(s)

Ryan Barnett - ryan.barnettJustat.gifowasp.org

Additional References