If you have any comments related to this rule (improvements, questions, etc…), please reply to this email thread.
For False Positives, please sign up for https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives Email the FP Report list here: [email protected]<mailto:[email protected]> Rule File: http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_20_protocol_violations.conf Current Rule: # # Identify Invalid URIs Blocked by Apache # # -=[ Rule Logic ]=- # # There are some request violations that Apache will handle internally, prior to the # ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get # visibility by running a check in phase:5 logging to look for the Apache error msg. # # -=[ References ]=- # https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227 # SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "phase:5,t:none,log,pass,msg:'Apache Error: Invalid URI in Request',id:'981227',rev:'2.2.0',logdata:'%{matched_var}',severity:'4',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" Rule Documentation Page: https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227 ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
