<div>So, all you did was to upgrade Apache and ModSecurity and this issue went away? That does not seem right. Can you please send me your configs so I can see how you are calling up your rules and also the contents of that specific rules file that was initially blocking the requests?
</div>
<div> </div>
<div>As to the lowercase transformation function, it was introduced in Mod 2.0.</div>
<div> </div>
<div>Did you sign up for the ModSecurity mail-list (the link I sent previously)?</div>
<div><br>-- <br>Ryan C. Barnett<br>ModSecurity Community Manager<br>Breach Security: Director of Application Security Training<br>Web Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project Lead<br>
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing Web Attacks with Apache <br><br></div>
<div class="gmail_quote">On Nov 8, 2007 2:09 AM, Thomas Ammermann <<a href="mailto:thomas.ammermann@digicol.de">thomas.ammermann@digicol.de</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thank you Ryan for explaining this. I ran into the exact same problem and<br>was very happy to find this solution.
<br><br>But all I did was upgrade Apache from 2.2.4 to 2.2.6 and mod_security from<br>2.0.4 to 2.1.3.<br>I did not change anything in my configuration (httpd.conf,<br>mod_security.conf, ...). The Gotroot rules were just copied over from my old
<br>installation.<br><br>Has this "t:lowercase" feature been integrated into mod_security somewhere<br>between 2.0.4 and 2.1.3 ?<br><br>Thanks in advance,<br>Thomas<br><br><br>-----Ursprüngliche Nachricht-----<br>
Von: <a href="mailto:modsecurity-bounces@gotroot.com">modsecurity-bounces@gotroot.com</a><br>[mailto:<a href="mailto:modsecurity-bounces@gotroot.com">modsecurity-bounces@gotroot.com</a>] Im Auftrag von Ryan Barnett<br>Gesendet: Montag, 5. November 2007 18:11
<br>An: AK-Palme<br>Cc: <a href="mailto:modsecurity@gotroot.com">modsecurity@gotroot.com</a><br>Betreff: Re: [Modsecurity] Some initial Problems<br>
<div>
<div></div>
<div class="Wj3C7c"><br>AK-Palme,<br>I have seen this issue before. If you look at the first SecDefaultAction<br>directive in the rules.conf file<br>(<a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf" target="_blank">
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf</a> )<br>you will see that it is using the "t:lowercase" transformation function -<br><br>#Configure for your site<br>SecDefaultAction<br>
"log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"<br><br>This means that all of the rules that follow need to be written in lowercase<br>and this is why the next rule is matching on all requests. It should have
<br>been written like this -<br><br>#Enforce proper HTTP requests<br>SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"<br>"id:340000,severity:1,msg:'Bad HTTP Protocol'"<br><br>Just an FYI - you should consider using the open source Core Rules found on
<br>the ModSecurity site - <a href="http://www.modsecurity.org/projects/rules/index.html" target="_blank">http://www.modsecurity.org/projects/rules/index.html</a><br>. If you run into any issues with ModSecurity itself and/or with the Core
<br>Rules, you should also sign up for the official ModSecurity mail-list -<br><a href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users
</a>. This<br>current mail-list is mainly for the GotRoot rule sets.<br><br>--<br>Ryan C. Barnett<br>ModSecurity Community Manager<br>Breach Security: Director of Application Security Training<br>Web Application Security Consortium (WASC) Member
<br>CIS Apache Benchmark Project Lead<br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing Web Attacks with Apache<br><br><br>On 11/5/07, AK-Palme <<a href="mailto:ak-palme@ak-palme.de">ak-palme@ak-palme.de
</a>> wrote:<br><br> Hi,<br> I am new to mod-security. I am using apache2 with mod-security2 on<br> Debian. I downloaded the rulesets from<br><br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf." target="_blank">
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf.</a>..<br><br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf" target="_blank">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf
</a>.<br><<a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf." target="_blank">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/jitp.conf.</a>><br>..<br><br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.con" target="_blank">
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/useragents.con</a><br>f. ..<br><br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf" target="_blank">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist.conf
</a><br>...<br><br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.con" target="_blank">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.con</a><br>f.<br><<a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.co" target="_blank">
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/blacklist2.co</a><br>nf.> ..<br><br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules" target="_blank">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-rules
</a>.<br>conf. ..<br><br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf" target="_blank">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf</a>.<br>..<br><br>
<a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf" target="_blank">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf</a>.<br><<a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf" target="_blank">
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/exclude.conf</a>.<br>> ..<br><br><a href="http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf" target="_blank">http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/recons.conf
</a>.<br>..<br><br> and first all websites stopped working until I disabled<br> SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"<br> "id:340000,severity:1,msg:'Bad HTTP Protocol'"
<br><br> To use the MediaWiki I had to disable several rules, too.<br><br> I wonder if I am the only one with this errors or if the project is<br>not<br> maintained anymore. Because the rules-files on the Server are almose
<br>1<br> year old, too..<br><br> Greetings,<br> AK-Palme<br> _______________________________________________<br> Modsecurity mailing list<br> <a href="mailto:Modsecurity@gotroot.com">Modsecurity@gotroot.com
</a><br> <a href="http://lists.gotroot.com/mailman/listinfo/modsecurity" target="_blank">http://lists.gotroot.com/mailman/listinfo/modsecurity</a><br><br><br><br><br><br></div></div>_______________________________________________
<br>
<div>
<div></div>
<div class="Wj3C7c">Modsecurity mailing list<br><a href="mailto:Modsecurity@gotroot.com">Modsecurity@gotroot.com</a><br><a href="http://lists.gotroot.com/mailman/listinfo/modsecurity" target="_blank">http://lists.gotroot.com/mailman/listinfo/modsecurity
</a><br></div></div></blockquote></div><br><br clear="all">