logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.




Mod_Security Protocol Error

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
ArtM



Joined: 23 Feb 2006
Posts: 59
Location: Bedford NS Canada

PostPosted: Mon 29 May '06 16:59    Post subject: Mod_Security Protocol Error Reply with quote

I'm getting these errors out of Mod_Security frequently.
Can anyone shed any more light on these errors? Are they real or do I have a config problem?

Quote:
==f46c0000==============================
Request: pic.myjpegpicdomain.com 123.456.109.10 - - [22/May/2006:10:27:56 --0300] "GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0" 403 427 "http://picrefeeerer.mydomain.com/" "Mozilla/4.73 [en] (Win95; U)" - "-"
----------------------------------------
GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0
Referer: http://picrefeeerer.mydomain.com/
Connection: Keep-Alive
User-Agent: Mozilla/4.73 [en] (Win95; U)
Host: pic.myjpegpicdomain.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "!^HTTP/(0\\.9|1\\.0|1\\.1)$" at SERVER_PROTOCOL [msg "Common attacks"]

May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0 403 Forbidden
Alternates: {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-2} {language cs} {length 616}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language de} {length 624}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language en} {length 503}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language es} {length 681}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language fr} {length 647}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language ga} {length 680}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language it} {length 536}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-2022-jp} {language ja} {length 666}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset euc-kr} {language ko} {length 571}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language nl} {length 574}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-2} {language pl} {length 594}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language pt-br} {length 680}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language ro} {length 530}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-5} {language sr} {length 617}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language sv} {length 716}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-9} {language tr} {length 636}}
Vary: accept-language,accept-charset
Content-Length: 427
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--f46c0000--


It looks to me like it is rejecting the Protocol. If I am following the Regular Expression, it seems to be wanting "HTTP/0.9", "HTTP/1.0", "HTTP/1.1". But the error is always on a supposedly acceptable "HTTP/1.0"

Steffen's Apache 2.2.0 PHP 5.1.2 Mod_Security 1.9.2
within the "Common Attacks" section
Config check line looks like

Quote:
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2661
Location: Hilversum, NL, EU

PostPosted: Mon 29 May '06 17:07    Post subject: Reply with quote

Loos ok for me, is not a valid request:

GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0


I am also using with 1.9.4:

SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"

Note: better upgrade to 1.9.4, quite some changes since 1.9.2.

Steffen
Back to top
ArtM



Joined: 23 Feb 2006
Posts: 59
Location: Bedford NS Canada

PostPosted: Mon 29 May '06 23:51    Post subject: Reply with quote

Thnx Steffen for the quick comment.

Will upgrade to 1.9.4 soon.

Perhaps the GET is incorrect, but why is it kicking out on a "Protocol Error"?

The site in question simply delivers a JPG image:

Quote:
DirectoryIndex "MyPic.jpg"


- Art
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2661
Location: Hilversum, NL, EU

PostPosted: Mon 29 May '06 23:55    Post subject: Reply with quote

The "HTTP/1.0"is not at the correct place in the request.

Steffen
Back to top
ArtM



Joined: 23 Feb 2006
Posts: 59
Location: Bedford NS Canada

PostPosted: Tue 30 May '06 3:02    Post subject: Reply with quote

OK. The Regular expression is looking for the Http/1.0 at the beginning or end of the line.

Its interesting to note that its always "Mozilla/4.73" and "Win95"

But I cannot control this GET! This is a function of the client browser, right?
And its kicking everone with Mozilla/4.73 & Win 95! That mean Mozilla/4.73/Win95 is issuing non-standard Get's ?

- Art
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1