Hi Flo, Can you show us line 22 and 26 of modsecurity_crs_62_my.conf"?
-- - Josh On Tue, Oct 5, 2010 at 6:21 PM, Florian Lier <[email protected]>wrote: > Hello all, > > this is my first encounter with this mailing list and I > (probably) have a noobish question... > > I'm running mod_security 2.5.11 on an Apache 2.x > WS with the 2.0.8 core rule set. The only webapp > which Apache serves is a freshly installed up-to-date > drupal 6.19. > > After having the core rules installed and set the filter engine > on I'm experiencing weird logs in the audit_log like the following: > > --------------------------------------- > > --e640b336-A-- > [05/Oct/2010:18:00:49 +0200] TKtLsX8AAQEAAGMRAskAAAAB xxx.xxx.xxx.12 48772 > 192.168.1.4 80 > --e640b336-B-- > GET / HTTP/1.0 > Host: fl0.xxx.xx > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) > Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 115 > Referer: http://fl0.ath.cx/ > Cookie: SESSfed0fce205fc7295ffe987ef538e635b=39i0rkv38ov7e8l1atl3jjg5l4 > If-Modified-Since: Tue, 05 Oct 2010 16:00:39 GMT > Via: 1.1 proxy (squid) > X-Forwarded-For: unknown > Cache-Control: max-age=259200 > Connection: keep-alive > > --e640b336-F-- > HTTP/1.1 200 OK > Expires: Sun, 19 Nov 1978 05:00:00 GMT > Last-Modified: Tue, 05 Oct 2010 16:00:49 GMT > Cache-Control: store, no-cache, must-revalidate > Cache-Control: post-check=0, pre-check=0 > Vary: Accept-Encoding > Content-Encoding: gzip > Content-Length: 1867 > Keep-Alive: timeout=15, max=98 > Connection: Keep-Alive > Content-Type: text/html; charset=utf-8 > > --e640b336-H-- > Message: Operator GT matched 0 at ARGS_NAMES. [file > "/etc/apache2/conf.d/modsecurity/msconfs/base_rules/modsecurity_crs_62_my.conf"] > [line "22"] [id "1"] [rev "2.0.8"] [msg "Argument name too long"] [severity > "WARNING"] > Message: Operator GT matched 0 at ARGS. [file > "/etc/apache2/conf.d/modsecurity/msconfs/base_rules/modsecurity_crs_62_my.conf"] > [line "26"] [id "2"] [rev "2.0.8"] [msg "Argument value too long"] [severity > "WARNING"] > Apache-Handler: application/x-httpd-php > Stopwatch: 1286294449838083 140002 (1358 2902 -) > Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/); > core ruleset/2.0.8. > Server: Apache/2.2.14 (Ubuntu) > > --e640b336-Z-- > > ------------------------ > > "modsecurity_crs_62_my.conf" is basically a copy of > "modsecurity_crs_23_request_limits.conf" because I wanted to > experiment with that rule, actually I haven't changed anything > in both files. The same messages apply for several "css" files > which are requested by my client. > > The HTTP Policy Settings are the following: > > ------------------------ > > # > # -=[ HTTP Policy Settings ]=- > # Set the following policy settings here and they will be propagated to the > 23 rules > # file (modsecurity_common_23_request_limits.conf) by using macro > expansion. > # If you run into false positives, you can adjust the settings here. > # > # Only the max number of args is uncommented by default as there are a high > rate > # of false positives. Uncomment the items you wish to set. > # > ## Maximum number of arguments in request limited > SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=500" > > ## Limit argument name length > SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=200" > > ## Limit value name length > SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400" > > ## Limit arguments total length > SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000" > > ## Individual file size is limited > SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576" > > ## Combined file size is limited > SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576" > > > ---------------------- > > > Can someone please explain to me what is happening here? > From what I know atm, I think mod_sec complains about having > "0" arguments in the GET request? I have "googled" this of course, > but couldn't find any sufficient answer. I hope you guys can help me > out. > > Cheers, Flo > > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
