Hello all, this is my first encounter with this mailing list and I (probably) have a noobish question...
I'm running mod_security 2.5.11 on an Apache 2.x WS with the 2.0.8 core rule set. The only webapp which Apache serves is a freshly installed up-to-date drupal 6.19. After having the core rules installed and set the filter engine on I'm experiencing weird logs in the audit_log like the following: --------------------------------------- --e640b336-A-- [05/Oct/2010:18:00:49 +0200] TKtLsX8AAQEAAGMRAskAAAAB xxx.xxx.xxx.12 48772 192.168.1.4 80 --e640b336-B-- GET / HTTP/1.0 Host: fl0.xxx.xx User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Referer: http://fl0.ath.cx/ Cookie: SESSfed0fce205fc7295ffe987ef538e635b=39i0rkv38ov7e8l1atl3jjg5l4 If-Modified-Since: Tue, 05 Oct 2010 16:00:39 GMT Via: 1.1 proxy (squid) X-Forwarded-For: unknown Cache-Control: max-age=259200 Connection: keep-alive --e640b336-F-- HTTP/1.1 200 OK Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 05 Oct 2010 16:00:49 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1867 Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 --e640b336-H-- Message: Operator GT matched 0 at ARGS_NAMES. [file "/etc/apache2/conf.d/modsecurity/msconfs/base_rules/modsecurity_crs_62_my.conf"] [line "22"] [id "1"] [rev "2.0.8"] [msg "Argument name too long"] [severity "WARNING"] Message: Operator GT matched 0 at ARGS. [file "/etc/apache2/conf.d/modsecurity/msconfs/base_rules/modsecurity_crs_62_my.conf"] [line "26"] [id "2"] [rev "2.0.8"] [msg "Argument value too long"] [severity "WARNING"] Apache-Handler: application/x-httpd-php Stopwatch: 1286294449838083 140002 (1358 2902 -) Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/); core ruleset/2.0.8. Server: Apache/2.2.14 (Ubuntu) --e640b336-Z-- ------------------------ "modsecurity_crs_62_my.conf" is basically a copy of "modsecurity_crs_23_request_limits.conf" because I wanted to experiment with that rule, actually I haven't changed anything in both files. The same messages apply for several "css" files which are requested by my client. The HTTP Policy Settings are the following: ------------------------ # # -=[ HTTP Policy Settings ]=- # Set the following policy settings here and they will be propagated to the 23 rules # file (modsecurity_common_23_request_limits.conf) by using macro expansion. # If you run into false positives, you can adjust the settings here. # # Only the max number of args is uncommented by default as there are a high rate # of false positives. Uncomment the items you wish to set. # ## Maximum number of arguments in request limited SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=500" ## Limit argument name length SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=200" ## Limit value name length SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400" ## Limit arguments total length SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000" ## Individual file size is limited SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576" ## Combined file size is limited SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576" ---------------------- Can someone please explain to me what is happening here? >From what I know atm, I think mod_sec complains about having "0" arguments in the GET request? I have "googled" this of course, but couldn't find any sufficient answer. I hope you guys can help me out. Cheers, Flo
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
