<div>AK-Palme,</div>
<div>I have seen this issue before. If you look at the first SecDefaultAction directive in the rules.conf file (<a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf
</a>) you will see that it is using the "t:lowercase" transformation function -</div>
<div> </div>
<div>#Configure for your site<br>SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"<br> </div>
<div>This means that all of the rules that follow need to be written in lowercase and this is why the next rule is matching on all requests. It should have been written like this -</div>
<div><br>#Enforce proper HTTP requests<br>SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'"<br> </div>
<div>Just an FYI - you should consider using the open source Core Rules found on the ModSecurity site - <a href="http://www.modsecurity.org/projects/rules/index.html">http://www.modsecurity.org/projects/rules/index.html</a>
. If you run into any issues with ModSecurity itself and/or with the Core Rules, you should also sign up for the official ModSecurity mail-list -</div>
<div><a href="https://lists.sourceforge.net/lists/listinfo/mod-security-users">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a>. This current mail-list is mainly for the GotRoot rule sets.</div>
<div> </div>
<div>-- <br>Ryan C. Barnett<br>ModSecurity Community Manager<br>Breach Security: Director of Application Security Training<br>Web Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project Lead<br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
<br>Author: Preventing Web Attacks with Apache<br><br> </div>
<div><span class="gmail_quote">On 11/5/07, <b class="gmail_sendername">AK-Palme</b> <<a href="mailto:ak-palme@ak-palme.de">ak-palme@ak-palme.de</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi,<br>I am new to mod-security. I am using apache2 with mod-security2 on<br>Debian. I downloaded the rulesets from
<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf.">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf.</a>..<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf.">
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf.</a>..<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.conf.">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.conf.
</a>..<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf.">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf.</a>..<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.conf.">
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.conf.</a>..<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules.conf.">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules.conf.
</a>..<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf.">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf.</a>..<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf.">
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf.</a>..<br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf.">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf.
</a>..<br><br>and first all websites stopped working until I disabled<br>SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"<br>"id:340000,severity:1,msg:'Bad HTTP Protocol'"<br><br>To use the MediaWiki I had to disable several rules, too.
<br><br>I wonder if I am the only one with this errors or if the project is not<br>maintained anymore. Because the rules-files on the Server are almose 1<br>year old, too..<br><br>Greetings,<br>AK-Palme<br>_______________________________________________
<br>Modsecurity mailing list<br><a href="mailto:Modsecurity@gotroot.com">Modsecurity@gotroot.com</a><br><a href="http://lists.gotroot.com/mailman/listinfo/modsecurity">http://lists.gotroot.com/mailman/listinfo/modsecurity
</a><br></blockquote></div>