Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Mod_Security Protocol Error |
|
Author |
|
ArtM
Joined: 23 Feb 2006 Posts: 59 Location: Bedford NS Canada
|
Posted: Mon 29 May '06 16:59 Post subject: Mod_Security Protocol Error |
|
|
I'm getting these errors out of Mod_Security frequently.
Can anyone shed any more light on these errors? Are they real or do I have a config problem?
Quote: | ==f46c0000==============================
Request: pic.myjpegpicdomain.com 123.456.109.10 - - [22/May/2006:10:27:56 --0300] "GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0" 403 427 "http://picrefeeerer.mydomain.com/" "Mozilla/4.73 [en] (Win95; U)" - "-"
----------------------------------------
GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0
Referer: http://picrefeeerer.mydomain.com/
Connection: Keep-Alive
User-Agent: Mozilla/4.73 [en] (Win95; U)
Host: pic.myjpegpicdomain.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "!^HTTP/(0\\.9|1\\.0|1\\.1)$" at SERVER_PROTOCOL [msg "Common attacks"]
May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0 403 Forbidden
Alternates: {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-2} {language cs} {length 616}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language de} {length 624}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language en} {length 503}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language es} {length 681}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language fr} {length 647}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language ga} {length 680}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language it} {length 536}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-2022-jp} {language ja} {length 666}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset euc-kr} {language ko} {length 571}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language nl} {length 574}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-2} {language pl} {length 594}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language pt-br} {length 680}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language ro} {length 530}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-5} {language sr} {length 617}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-1} {language sv} {length 716}}, {"HTTP_FORBIDDEN.html.var" 1 {type text/html} {charset iso-8859-9} {language tr} {length 636}}
Vary: accept-language,accept-charset
Content-Length: 427
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--f46c0000--
|
It looks to me like it is rejecting the Protocol. If I am following the Regular Expression, it seems to be wanting "HTTP/0.9", "HTTP/1.0", "HTTP/1.1". But the error is always on a supposedly acceptable "HTTP/1.0"
Steffen's Apache 2.2.0 PHP 5.1.2 Mod_Security 1.9.2
within the "Common Attacks" section
Config check line looks like
Quote: | # Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" |
|
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Mon 29 May '06 17:07 Post subject: |
|
|
Loos ok for me, is not a valid request:
GET /?Mon May 22 10:25:41 GMT-0300 (Atlantic Daylight Time) 2006/ HTTP/1.0
I am also using with 1.9.4:
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
Note: better upgrade to 1.9.4, quite some changes since 1.9.2.
Steffen |
|
Back to top |
|
ArtM
Joined: 23 Feb 2006 Posts: 59 Location: Bedford NS Canada
|
Posted: Mon 29 May '06 23:51 Post subject: |
|
|
Thnx Steffen for the quick comment.
Will upgrade to 1.9.4 soon.
Perhaps the GET is incorrect, but why is it kicking out on a "Protocol Error"?
The site in question simply delivers a JPG image:
Quote: | DirectoryIndex "MyPic.jpg" |
- Art |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Mon 29 May '06 23:55 Post subject: |
|
|
The "HTTP/1.0"is not at the correct place in the request.
Steffen |
|
Back to top |
|
ArtM
Joined: 23 Feb 2006 Posts: 59 Location: Bedford NS Canada
|
Posted: Tue 30 May '06 3:02 Post subject: |
|
|
OK. The Regular expression is looking for the Http/1.0 at the beginning or end of the line.
Its interesting to note that its always "Mozilla/4.73" and "Win95"
But I cannot control this GET! This is a function of the client browser, right?
And its kicking everone with Mozilla/4.73 & Win 95! That mean Mozilla/4.73/Win95 is issuing non-standard Get's ?
- Art |
|
Back to top |
|
|
|
|
|
|