ModSecurity CRS RuleID-981227

Revision as of 10:27, 6 May 2011 by Rcbarnett (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID: 981227

Rule ID


Rule Message

Apache Error: Invalid URI in Request

Rule Summary

Identify Invalid URIs Blocked by Apache


4 - Warning


SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "phase:5,t:none,log,pass,msg:'Apache Error: Invalid URI in Request',id:'981227',rev:'2.2.0',
Detailed Rule Information
There are some request violations that Apache will handle internally, prior to the
ModSecurity phase:1 POST-READ-REQUEST hook.  For these requests, we can still get
visibility by running a check in phase:5 logging to look for the Apache error msg.
Example Payload

Here is an example payloads taken from the access_log: - - [06/May/2011:11:22:24 -0400] "\tGET / HTTP/1.1" 400 226
Example Audit Log Entry

Include an example ModSecurity Audit Log Entry for when this rule matchs.

[06/May/2011:11:22:24 --0400] TcQSMMCoAWQAAKNEEHMAAAAA 62905 80
        GET / HTTP/1.1
Host: local
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060909 Firefox/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

HTTP/1.1 400 Bad Request
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />

Message: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] 
[line "51"] [id "981227"] [rev "2.2.0"] [msg "Apache Error: Invalid URI in Request"] [data "[file \x22core.c\x22] [line 3504] [level 3] Invalid URI in request \x5c\x5ctGET / HTTP/1.1"] 
[severity "WARNING"] [tag ""] [tag ""] 
Apache-Error: [file "core.c"] [line 3504] [level 3] Invalid URI in request \\tGET / HTTP/1.1
Stopwatch: 1304695344229544 6998 (- - -)
Stopwatch2: 1304695344229544 6998; combined=5474, p1=0, p2=0, p3=140, p4=4392, p5=942, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.0-rc2 (; core ruleset/2.2.0.
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2

Attack Scenarios

Some malformed URIs are created on purpose as part of HTTP fingerprinting scans -

Other times, these are caused by poorly written web clients.

Ease of Attack


Ease of Detection

Easy with either regular expressions or by monitoring Apache error logging in phase:5

False Positives

None known
If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here:
Send FP Report emails here:

False Negatives

None known

Rule Accuracy Level

5 point scale where:
1 = Beta/Experimental and/or high number of false positives reported
5 = Strong Rule and/or no false positives reported

Rule Documentation Contributor(s)

Ryan Barnett -

Additional References