Got caught by mod-security

Question

Got caught by mod-security

Opened this issue 10 years ago · 0 comments

I was reading modsec_audit.log then my uptime installation poppedout caught by OSWAP CRS mod-security rules.

The rule is this: Missing/Empty Accept Header

--b525f743-A--
[09/Nov/2014:21:24:00 +0100] VF-NYH8AAAEAACWMWBAAAAAA xxx.xxx.xxx.xxx 32788 xxx.xxx.xxx.xxx 80
--b525f743-B--
GET / HTTP/1.1
User-Agent: NodeUptime/3.0 (https://github.com/fzaninotto/uptime)
Host: MYDOMAIN.TLD
Connection: keep-alive

--b525f743-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Length: 202
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--b525f743-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>

--b525f743-H--
Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/oswap/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "2.2.5"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Stopwatch: 1415564640507130 5381 (- - -)
Stopwatch2: 1415564640507130 5381; combined=761, p1=401, p2=149, p3=0, p4=0, p5=210, sr=101, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache

--b525f743-Z--