Hi,
I have had this issue with previous 2.2.9 version, but I am not really sure is
related to mod_security it self or to CRS. The problem is with some Windows
machines, below is the example from one of our corporate user, who is working
on Windows 7 machine. I am pretty sure machine is not infected by malware or
something, and this problem occures on FF, Chrome, Opera and IE. But in
combination with fail2ban, this cut him off from web server every time he is
trying to access company website. Do
you guys have any idea what is causing this?
[Tue Nov 15 16:26:41.962933 2016] [:error] [pid 31434] [client 213.81.82.201]
ModSecurity: Warning. Match of "pm
AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. [file
"/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept Header"]
[severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
"attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"]
[tag "WASCTC/WASC-21"] [tag
"OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "paranoia-level/2"] [hostname
"domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id
"WCs3QX8AAQEAAHrKJTMAAAAF"]
[Tue Nov 15 16:26:41.963976 2016] [:error] [pid 31434] [client 213.81.82.201]
ModSecurity: Access denied with code 403 (phase 2). Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h
..." at REQUEST_COOKIES:OutlookSession. [file
"/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within
REQUEST_COOKIES:OutlookSession:
\\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"] [ver
"OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
"paranoia-level/2"] [hostname "domain.com"] [uri
"/autodiscover/autodiscover.xml"] [unique_id "WCs3QX8AAQEAAHrKJTMAAAAF"]
[Tue Nov 15 16:26:44.390517 2016] [:error] [pid 31254] [client 213.81.82.201]
ModSecurity: Warning. Match of "pm AppleWebKit Android" against
"REQUEST_HEADERS:User-Agent" required. [file
"/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept Header"]
[severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
"attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"]
[tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag
"paranoia-level/2"] [hostname "domain.com"] [uri
"/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
[Tue Nov 15 16:26:44.391535 2016] [:error] [pid 31254] [client 213.81.82.201]
ModSecurity: Access denied with code 403 (phase 2). Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h
..." at REQUEST_COOKIES:OutlookSession. [file
"/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within
REQUEST_COOKIES:OutlookSession:
\\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"] [ver
"OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
"paranoia-level/2"] [hostname "domain.com"] [uri
"/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
