logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: Mod_Security Protocol Error
Author
ArtM



Joined: 23 Feb 2006
Posts: 59
Location: Bedford NS Canada

PostPosted: Mon 29 May '06 16:59    Post subject: Mod_Security Protocol Error Reply with quote

I'm getting these errors out of Mod_Security frequently.
Can anyone shed any more light on these errors? Are they real or do I have a config problem?

Quote:
==f46c0000==============================
Request: pic.myjpegpicdomain.com 123.456.109.10 - - [22/May/2006:10:27:56 --0300] "GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0" 403 427 "http://picrefeeerer.mydomain.com/" "Mozilla/4.73 [en] (Win95; U)" - "-"
----------------------------------------
GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0
Referer: http://picrefeeerer.mydomain.com/
Connection: Keep-Alive
User-Agent: Mozilla/4.73 [en] (Win95; U)
Host: pic.myjpegpicdomain.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "!^HTTP/(0\\.9|1\\.0|1\\.1)$" at SERVER_PROTOCOL [msg "Common attacks"]

May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0 403 Forbidden
Alternates: {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-2} {language cs} {length 616}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language de} {length 624}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language en} {length 503}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language es} {length 681}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language fr} {length 647}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language ga} {length 680}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language it} {length 536}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-2022-jp} {language ja} {length 666}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset euc-kr} {language ko} {length 571}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language nl} {length 574}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-2} {language pl} {length 594}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language pt-br} {length 680}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language ro} {length 530}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-5} {language sr} {length 617}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language sv} {length 716}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-9} {language tr} {length 636}}
Vary: accept-language,accept-charset
Content-Length: 427
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--f46c0000--


It looks to me like it is rejecting the Protocol. If I am following the Regular Expression, it seems to be wanting "HTTP/0.9", "HTTP/1.0", "HTTP/1.1". But the error is always on a supposedly acceptable "HTTP/1.0"

Steffen's Apache 2.2.0 PHP 5.1.2 Mod_Security 1.9.2
within the "Common Attacks" section
Config check line looks like

Quote:
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 29 May '06 17:07    Post subject: Reply with quote

Loos ok for me, is not a valid request:

GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0


I am also using with 1.9.4:

SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"

Note: better upgrade to 1.9.4, quite some changes since 1.9.2.

Steffen
Back to top
ArtM



Joined: 23 Feb 2006
Posts: 59
Location: Bedford NS Canada

PostPosted: Mon 29 May '06 23:51    Post subject: Reply with quote

Thnx Steffen for the quick comment.

Will upgrade to 1.9.4 soon.

Perhaps the GET is incorrect, but why is it kicking out on a "Protocol Error"?

The site in question simply delivers a JPG image:

Quote:
DirectoryIndex "MyPic.jpg"


- Art
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 29 May '06 23:55    Post subject: Reply with quote

The "HTTP/1.0"is not at the correct place in the request.

Steffen
Back to top
ArtM



Joined: 23 Feb 2006
Posts: 59
Location: Bedford NS Canada

PostPosted: Tue 30 May '06 3:02    Post subject: Reply with quote

OK. The Regular expression is looking for the Http/1.0 at the beginning or end of the line.

Its interesting to note that its always "Mozilla/4.73" and "Win95"

But I cannot control this GET! This is a function of the client browser, right?
And its kicking everone with Mozilla/4.73 & Win 95! That mean Mozilla/4.73/Win95 is issuing non-standard Get's ?

- Art
Back to top


Reply to topic   Topic: Mod_Security Protocol Error View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules