Skip to content

Instantly share code, notes, and snippets.

@code1955

code1955/Post body issue

Created March 20, 2014 16:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save code1955/9668518 to your computer and use it in GitHub Desktop.
Save code1955/9668518 to your computer and use it in GitHub Desktop.
Download ZIP
Post body inspection does not work
Raw
Post body issue
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Initialising transaction (txid UynEl6wQGYEAADhVCKwAAACR).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Adding request cookie: name "ACE_COOKIE", value "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transaction context created (dcfg 19a4f98).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase REQUEST_HEADERS.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 60 rule(s).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ade6f0; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "24"] [id "200000"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ade6f0: SecRule "REQUEST_HEADERS:Content-Type" "@rx text/xml" "phase:1,auditlog,id:200000,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "application/json; charset=utf-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 18 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "text/xml" against REQUEST_HEADERS:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=utf-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1af28b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "98"] [id "900001"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1af28b8: SecAction "phase:1,auditlog,status:403,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.critical_anomaly_score=5
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.critical_anomaly_score" to "5".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.error_anomaly_score=4
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.error_anomaly_score" to "4".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.warning_anomaly_score=3
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.warning_anomaly_score" to "3".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.notice_anomaly_score=2
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.notice_anomaly_score" to "2".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "98"] [id "900001"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1af3c58; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "129"] [id "900002"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1af3c58: SecAction "phase:1,auditlog,status:403,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.anomaly_score=0
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.anomaly_score" to "0".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.sql_injection_score=0
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.sql_injection_score" to "0".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.xss_score=0
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.xss_score" to "0".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_anomaly_score=0
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_anomaly_score" to "0".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.outbound_anomaly_score=0
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.outbound_anomaly_score" to "0".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "129"] [id "900002"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1af7320; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "139"] [id "900003"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1af7320: SecAction "phase:1,auditlog,status:403,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_anomaly_score_level=5
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_anomaly_score_level" to "5".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.outbound_anomaly_score_level=4
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.outbound_anomaly_score_level" to "4".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "139"] [id "900003"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b00498; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "217"] [id "900006"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b00498: SecAction "phase:1,auditlog,status:403,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.max_num_args=255
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.max_num_args" to "255".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "217"] [id "900006"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b01160; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "285"] [id "900012"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b01160: SecAction "phase:1,auditlog,status:403,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.allowed_methods=GET HEAD POST OPTIONS
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.allowed_methods" to "GET HEAD POST OPTIONS".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.allowed_request_content_type" to "application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.allowed_http_versions" to "HTTP/0.9 HTTP/1.0 HTTP/1.1".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.restricted_extensions" to ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.restricted_headers" to "/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "285"] [id "900012"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b075a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "335"] [id "900014"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b075a0: SecAction "phase:1,auditlog,status:403,id:900014,t:none,setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#',setvar:tx.brute_force_burst_time_slice=60,setvar:tx.brute_force_counter_threshold=10,setvar:tx.brute_force_block_timeout=300,nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.brute_force_protected_urls" to "#/login.jsp# #/partner_login.php#".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.brute_force_burst_time_slice=60
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.brute_force_burst_time_slice" to "60".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.brute_force_counter_threshold=10
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.brute_force_counter_threshold" to "10".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.brute_force_block_timeout=300
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.brute_force_block_timeout" to "300".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "335"] [id "900014"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b0cdd0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "355"] [id "900015"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b0cdd0: SecAction "phase:1,auditlog,status:403,id:900015,t:none,setvar:tx.dos_burst_time_slice=60,setvar:tx.dos_counter_threshold=100,setvar:tx.dos_block_timeout=600,nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.dos_burst_time_slice=60
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.dos_burst_time_slice" to "60".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.dos_counter_threshold=100
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.dos_counter_threshold" to "100".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.dos_block_timeout=600
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.dos_block_timeout" to "600".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "355"] [id "900015"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b0ddf8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "387"] [id "900017"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b0ddf8: SecRule "REQUEST_HEADERS:Content-Type" "@rx text/xml" "phase:1,auditlog,status:403,id:900017,t:none,t:lowercase,nolog,pass,chain"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "application/json; charset=utf-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "text/xml" against REQUEST_HEADERS:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=utf-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b11080; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "405"] [id "900018"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b11080: SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,auditlog,status:403,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) sha1: "\x8f\xda\x9f\x02\x9d\xd3\xcc\xfdV\xfeF\xb5\x82\x1ay\xf1\xdf\xe3\xe2m"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) hexEncode: "8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 29 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 19 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.ua_hash=%{matched_var}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{matched_var} to: 8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.ua_hash" to "8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Pattern match "^(.*)$" at REQUEST_HEADERS:User-Agent. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "405"] [id "900018"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b11ed0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "415"] [id "900019"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b11ed0: SecRule "REQUEST_HEADERS:x-forwarded-for" "@rx ^\\b(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\b" "phase:1,auditlog,status:403,id:900019,t:none,capture,setvar:tx.real_ip=%{tx.1},nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b14f28; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "425"] [id "900020"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b14f28: SecRule "&TX:REAL_IP" "!@eq 0" "phase:1,auditlog,status:403,id:900020,t:none,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash},nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against &TX:REAL_IP.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b15dc0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "436"] [id "900021"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b15dc0: SecRule "&TX:REAL_IP" "@eq 0" "phase:1,auditlog,status:403,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &TX:REAL_IP.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name "global", filename "/opt/apache/xxx.yyy-europe.com/modsecdata//global")
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Creating collection (name "global", key "global").
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Setting default timeout collection value 3600.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Recorded original collection variable: global.UPDATE_COUNTER = "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Added collection "global" to the list.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{remote_addr} to: 10.101.161.59
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.ua_hash} to: 8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name "ip", filename "/opt/apache/xxx.yyy-europe.com/modsecdata//ip")
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "__expire_KEY", value "1395248468".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "KEY", value "10.101.161.59_8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "TIMEOUT", value "3600".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "__key", value "10.101.161.59_8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "__name", value "ip".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "CREATE_TIME", value "1395244868".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "UPDATE_COUNTER", value "1".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "previous_rbl_check", value "1".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "__expire_previous_rbl_check", value "1395331268".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "LAST_UPDATE_TIME", value "1395244868".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] collection_retrieve_ex: Retrieved collection (name "ip", key "10.101.161.59_8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d").
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Recorded original collection variable: ip.UPDATE_COUNTER = "1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Added collection "ip" to the list.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.real_ip=%{remote_addr}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{remote_addr} to: 10.101.161.59
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.real_ip" to "10.101.161.59".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Operator EQ matched 0 at TX. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "436"] [id "900021"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b19040; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b19040: SecRule "REQUEST_LINE" "!@rx ^(?i:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" "phase:1,log,auditlog,status:403,msg:'Invalid HTTP Request Line',severity:4,id:960911,ver:OWASP_CRS/2.2.9,rev:2,maturity:9,accuracy:9,logdata:%{request_line},block,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^(?i:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" against REQUEST_LINE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST /scan/info/authenticate/login/ HTTP/1.1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 19 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b46e60; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "248"] [id "960016"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b46e60: SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^\\d+$" "phase:1,log,auditlog,status:403,msg:'Content-Length HTTP header is not numeric.',severity:2,id:960016,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^\\d+$" against REQUEST_HEADERS:Content-Length.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "51"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b4fb48; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "280"] [id "960011"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b4fb48: SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:1,log,auditlog,status:403,msg:'GET or HEAD Request with Body Content.',severity:2,id:960011,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(?:GET|HEAD)$" against REQUEST_METHOD.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b54c58; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "312"] [id "960012"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b54c58: SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,log,auditlog,status:403,msg:'POST request missing Content-Length Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^POST$" against REQUEST_METHOD.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b5edb0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "317"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b5edb0: SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:Content-Length.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b57f38; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "349"] [id "960902"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b57f38: SecRule "REQUEST_HEADERS:Content-Encoding" "@rx ^Identity$" "phase:1,log,auditlog,status:403,msg:'Invalid Use of Identity Encoding.',severity:4,id:960902,ver:OWASP_CRS/2.2.9,rev:2,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b62ea8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "378"] [id "960022"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b62ea8: SecRule "REQUEST_HEADERS:Expect" "@contains 100-continue" "phase:1,log,auditlog,status:403,msg:'Expect Header Not Allowed for HTTP 1.0.',severity:5,id:960022,ver:OWASP_CRS/2.2.9,rev:2,maturity:7,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c80b18; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "84"] [id "960904"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c80b18: SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:1,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cd13b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "42"] [id "960342"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cd13b8: SecRule "&TX:MAX_FILE_SIZE" "@eq 1" "phase:1,log,auditlog,status:403,chain,t:none,block,msg:'Uploaded file size too large',id:960342,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:MAX_FILE_SIZE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ce32f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ce32f0: SecRule "REQUEST_METHOD" "!@within %{tx.allowed_methods}" "phase:1,log,auditlog,status:403,t:none,block,msg:'Method is not allowed by policy',logdata:%{matched_var},severity:2,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960032,tag:OWASP_CRS/POLICY/METHOD_NOT_ALLOWED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:OWASP_AppSensor/RE1,tag:PCI/12.1,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!within" with param "%{tx.allowed_methods}" against REQUEST_METHOD.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.allowed_methods} to: GET HEAD POST OPTIONS
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ceabb0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ceabb0: SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,log,auditlog,status:403,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^(?:GET|HEAD|PROPFIND|OPTIONS)$" against REQUEST_METHOD.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ce9130; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "65"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ce9130: SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^([^;\\s]+)" against REQUEST_HEADERS:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=UTF-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: application/json
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: application/json
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 35 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ce98f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "66"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ce98f0: SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^%{tx.allowed_request_content_type}$" against TX:0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.allowed_request_content_type} to: application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Escaping pattern [^application\/x-www-form-urlencoded|multipart\/form-data|text\/xml|application\/xml|application\/x-amf|application\/json$]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 71 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dfbee0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "119"] [id "950012"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dfbee0: SecRule "REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/'" "@rx ," "phase:1,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,block,msg:'HTTP Request Smuggling Attack.',id:950012,tag:OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING,tag:WASCTC/WASC-26,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "," against REQUEST_HEADERS:Content-Length.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "51"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 21efa80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "20"] [id "981137"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 21efa80: SecRule "IP:PREVIOUS_RBL_CHECK" "@eq 1" "phase:1,auditlog,status:403,id:981137,t:none,nolog,skipAfter:END_RBL_LOOKUP"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against IP:previous_rbl_check.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Operator EQ matched 1 at IP:previous_rbl_check. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "20"] [id "981137"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 21efa80 id="END_RBL_LOOKUP" -> mode SKIP_RULES.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981138" [chained 0] is trying to find the SecMarker="END_RBL_LOOKUP" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981139" [chained 0] is trying to find the SecMarker="END_RBL_LOOKUP" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 21f7508 id="END_RBL_LOOKUP".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_RBL_LOOKUP".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 21f7aa0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "26"] [id "981140"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 21f7aa0: SecRule "IP:SPAMMER" "@eq 1" "phase:1,status:403,id:981140,t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:AUTOMATION/MALICIOUS,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Second phase starting (dcfg 19a4f98).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Reading request body.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Input filter: Bucket type HEAP contains 51 bytes.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Input filter: Bucket type EOS contains 0 bytes.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Request body no files length: 0
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Completed receiving request body (length 51).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase REQUEST_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 309 rule(s).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1adf5f0; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "55"] [id "200001"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1adf5f0: SecRule "REQBODY_ERROR" "!@eq 0" "phase:2,auditlog,id:200001,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:%{reqbody_error_msg},severity:2"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against REQBODY_ERROR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1aea858; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "76"] [id "200002"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1aea858: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,auditlog,id:200002,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_MISSING_SEMICOLON}, IQ %{MULTIPART_INVALID_QUOTING}, IP %{MULTIPART_INVALID_PART}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1aee8c8; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "81"] [id "200003"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1aee8c8: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,auditlog,id:200003,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1aef548; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "95"] [id "200004"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1aef548: SecRule "TX:/^MSC_/" "!@streq 0" "phase:2,log,auditlog,id:200004,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b29518; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "118"] [id "960000"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b29518: SecRule "FILES_NAMES|FILES" "@rx ['\";=]" "phase:2,log,auditlog,status:403,msg:'Attempted multipart/form-data bypass',severity:2,id:960000,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:7,logdata:%{matched_var},block,t:none,t:urlDecodeUni,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b2a5a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "151"] [id "960912"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b2a5a8: SecRule "REQBODY_ERROR" "!@eq 0" "phase:2,log,auditlog,status:403,msg:'Failed to parse request body.',severity:2,id:960912,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,logdata:%{REQBODY_ERROR_MSG},block,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against REQBODY_ERROR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b35820; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "192"] [id "960914"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b35820: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,log,auditlog,status:403,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}',severity:2,id:960914,ver:OWASP_CRS/2.2.9,rev:1,maturity:8,accuracy:7,block,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b43ef0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "219"] [id "960915"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b43ef0: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,log,auditlog,status:403,msg:'Multipart parser detected a possible unmatched boundary.',severity:2,id:960915,ver:OWASP_CRS/2.2.9,rev:1,maturity:8,accuracy:8,block,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b67fb8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b67fb8: SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:960020,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &REQUEST_HEADERS:Pragma.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b81f50; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b81f50: SecRule "REQUEST_HEADERS:Range" "@beginsWith bytes=0-" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Range: field exists and begins with 0.',logdata:%{matched_var},severity:4,id:958291,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b8c980; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "430"] [id "958230"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b8c980: SecRule "REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range" "@rx (\\d+)\\-(\\d+)\\," "phase:2,log,auditlog,status:403,chain,capture,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Range: Invalid Last Byte Value.',logdata:%{matched_var},severity:4,id:958230,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bd5c78; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "433"] [id "958231"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bd5c78: SecRule "REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range" "@rx ^bytes=(\\d+)?\\-(\\d+)?\\,\\s?(\\d+)?\\-(\\d+)?\\,\\s?(\\d+)?\\-(\\d+)?\\,\\s?(\\d+)?\\-(\\d+)?\\,\\s?(\\d+)?\\-(\\d+)?\\," "phase:2,log,auditlog,status:403,capture,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Range: Too many fields',logdata:%{matched_var},severity:4,id:958231,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1be2008; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "447"] [id "958295"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1be2008: SecRule "REQUEST_HEADERS:Connection" "@rx \\b(keep-alive|close),\\s?(keep-alive|close)\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',logdata:%{matched_var},id:958295,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(keep-alive|close),\\s?(keep-alive|close)\\b" against REQUEST_HEADERS:Connection.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Keep-Alive"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 15 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1beafb0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "461"] [id "950107"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1beafb0: SecRule "REQUEST_URI" "@rx \\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:950107,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" against REQUEST_URI.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1be56a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "465"] [id "950109"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1be56a8: SecRule "ARGS" "@rx \\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Multiple URL Encoding Detected',id:950109,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bf2050; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "468"] [id "950108"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bf2050: SecRule "REQUEST_HEADERS:Content-Type" "@rx ^(application\\/x-www-form-urlencoded|text\\/xml)(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:950108,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(application\\/x-www-form-urlencoded|text\\/xml)(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$" against REQUEST_HEADERS:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=UTF-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bf9678; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "482"] [id "950801"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bf9678: SecRule "TX:CRS_VALIDATE_UTF8_ENCODING" "@eq 1" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:950801,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bfe258; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "497"] [id "950116"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bfe258: SecRule "REQUEST_URI|REQUEST_BODY" "@rx \\%u[fF]{2}[0-9a-fA-F]{2}" "phase:2,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:950116,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\%u[fF]{2}[0-9a-fA-F]{2}" against REQUEST_URI.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c04498; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "534"] [id "960901"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c04498: SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer" "@validateByteRange 1-255" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,block,msg:'Invalid character in request',id:960901,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:3,t:none,t:urlDecodeUni,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer" to "REQUEST_HEADERS:x-requested-with|REQUEST_HEADERS:Accept-Language|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Accept-Encoding|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Content-Length|REQUEST_HEADERS:Connection|REQUEST_HEADERS:Cache-Control|REQUEST_HEADERS:Cookie".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "XMLHttpRequest"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:x-requested-with.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "XMLHttpRequest"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "en-gb"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Accept-Language.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "en-gb"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "application/json, text/javascript, */*; q=0.01"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Accept.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json, text/javascript, */*; q=0.01"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "application/json; charset=UTF-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=UTF-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "gzip, deflate"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Accept-Encoding.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "gzip, deflate"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 26 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "xxx.yyy.com"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Host.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "xxx.yyy.com"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "51"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Content-Length.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "51"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "Keep-Alive"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Connection.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Keep-Alive"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "no-cache"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Cache-Control.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "no-cache"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE=R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Cookie.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE=R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c0b100; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "536"] [id "960018"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c0b100: SecRule "TX:PARANOID_MODE" "@eq 1" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:7,block,msg:'Invalid character in request',id:960018,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:3,t:none,t:urlDecodeUni"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c0e9b0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "29"] [id "960008"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c0e9b0: SecRule "&REQUEST_HEADERS:Host" "@eq 0" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Missing a Host Header',id:960008,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:Host.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c0f780; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "31"] [id "960007"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c0f780: SecRule "REQUEST_HEADERS:Host" "@rx ^$" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Empty Host Header',id:960007,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^$" against REQUEST_HEADERS:Host.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "xxx.yyy.com"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c1aa98; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c1aa98: SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,auditlog,status:403,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Missing an Accept Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^OPTIONS$" against REQUEST_METHOD.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 1c1aa98 id="END_ACCEPT_CHECK" -> mode SKIP_RULES.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c1ed10; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c1ed10: SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:Accept.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c1fd00; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "50"] [id "960021"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c1fd00: SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,auditlog,status:403,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Has an Empty Accept Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^OPTIONS$" against REQUEST_METHOD.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c255c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "51"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c255c8: SecRule "REQUEST_HEADERS:Accept" "@rx ^$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^$" against REQUEST_HEADERS:Accept.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json, text/javascript, */*; q=0.01"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c2b0e8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c2b0e8: SecRule "&REQUEST_HEADERS:User-Agent" "@eq 0" "phase:2,log,auditlog,status:403,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Missing a User Agent Header',id:960009,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:5,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c30188; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "68"] [id "960006"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c30188: SecRule "REQUEST_HEADERS:User-Agent" "@rx ^$" "phase:2,log,auditlog,status:403,t:none,block,msg:'Empty User Agent Header',id:960006,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA,severity:5,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^$" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ca5998; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ca5998: SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d.:]+$" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Host header is a numeric IP address',logdata:%{matched_var},severity:4,id:960017,tag:OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^[\\d.:]+$" against REQUEST_HEADERS:Host.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "xxx.yyy.com"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cb1b40; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "23"] [id "960209"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cb1b40: SecRule "&TX:ARG_NAME_LENGTH" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Argument name too long',id:960209,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:ARG_NAME_LENGTH.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cb7b48; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "27"] [id "960208"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cb7b48: SecRule "&TX:ARG_LENGTH" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Argument value too long',id:960208,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:ARG_LENGTH.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cc6060; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "31"] [id "960335"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cc6060: SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Too many arguments in request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:MAX_NUM_ARGS.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cc98c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "32"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cc98c8: SecRule "&ARGS" "@gt %{tx.max_num_args}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "gt" with param "%{tx.max_num_args}" against &ARGS.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.max_num_args} to: 255
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cca7c0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "35"] [id "960341"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cca7c0: SecRule "&TX:TOTAL_ARG_LENGTH" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Total arguments size exceeded',id:960341,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:TOTAL_ARG_LENGTH.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cd8628; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "47"] [id "960343"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cd8628: SecRule "&TX:COMBINED_FILE_SIZES" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Total uploaded files size too large',id:960343,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:COMBINED_FILE_SIZES.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cf6f10; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cf6f10: SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}" "phase:2,log,auditlog,status:403,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:2,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960034,tag:OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!within" with param "%{tx.allowed_http_versions}" against REQUEST_PROTOCOL.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "HTTP/1.1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.allowed_http_versions} to: HTTP/0.9 HTTP/1.0 HTTP/1.1
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 24 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cfa440; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "88"] [id "960035"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cfa440: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" "phase:2,log,auditlog,status:403,chain,capture,setvar:tx.extension=.%{tx.1}/,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:2,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960035,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,logdata:%{TX.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\.(.*)$" against REQUEST_BASENAME.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d02738; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "100"] [id "960038"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d02738: SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_HEADERS_NAMES" to "REQUEST_HEADERS_NAMES:x-requested-with|REQUEST_HEADERS_NAMES:Accept-Language|REQUEST_HEADERS_NAMES:Referer|REQUEST_HEADERS_NAMES:Accept|REQUEST_HEADERS_NAMES:Content-Type|REQUEST_HEADERS_NAMES:Accept-Encoding|REQUEST_HEADERS_NAMES:User-Agent|REQUEST_HEADERS_NAMES:Host|REQUEST_HEADERS_NAMES:Content-Length|REQUEST_HEADERS_NAMES:Connection|REQUEST_HEADERS_NAMES:Cache-Control|REQUEST_HEADERS_NAMES:Cookie".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:x-requested-with.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "x-requested-with"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: x-requested-with
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: x-requested-with
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 91 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: x-requested-with
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/x-requested-with/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Accept-Language.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Accept-Language"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Accept-Language
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Accept-Language
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Accept-Language
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Accept-Language/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Referer.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Referer"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Referer
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Referer
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 28 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Referer
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Referer/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Accept.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Accept"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Accept
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Accept
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 25 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Accept
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Accept/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Content-Type"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Content-Type
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Content-Type
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 27 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Content-Type
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Content-Type/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Accept-Encoding.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Accept-Encoding"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Accept-Encoding
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Accept-Encoding
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 28 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Accept-Encoding
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Accept-Encoding/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "User-Agent"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: User-Agent
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: User-Agent
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 25 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: User-Agent
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/User-Agent/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Host.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Host"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Host
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Host
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 24 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Host
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Host/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Content-Length.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Content-Length"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Content-Length
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Content-Length
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 28 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Content-Length
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Content-Length/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Connection.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Connection"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Connection
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Connection
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 27 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Connection
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Connection/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Cache-Control.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Cache-Control"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Cache-Control
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Cache-Control
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 33 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Cache-Control
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Cache-Control/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Cookie.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Cookie
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Cookie
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 33 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Cookie
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Cookie/".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d0e218; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "101"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d0e218: SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "within" with param "%{tx.restricted_headers}" against TX:header_name.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/Cookie/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.restricted_headers} to: /Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 19 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d0b428; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "20"] [id "990002"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d0b428: SecRule "REQUEST_HEADERS:User-Agent" "@pmFromFile modsecurity_35_scanners.data" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:%{matched_var},id:990002,tag:OWASP_CRS/AUTOMATION/SECURITY_SCANNER,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 18 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_35_scanners.data" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d33340; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "22"] [id "990901"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d33340: SecRule "REQUEST_HEADERS_NAMES" "@rx \\bacunetix-product\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:%{matched_var},id:990901,tag:OWASP_CRS/AUTOMATION/SECURITY_SCANNER,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_HEADERS_NAMES" to "REQUEST_HEADERS_NAMES:x-requested-with|REQUEST_HEADERS_NAMES:Accept-Language|REQUEST_HEADERS_NAMES:Referer|REQUEST_HEADERS_NAMES:Accept|REQUEST_HEADERS_NAMES:Content-Type|REQUEST_HEADERS_NAMES:Accept-Encoding|REQUEST_HEADERS_NAMES:User-Agent|REQUEST_HEADERS_NAMES:Host|REQUEST_HEADERS_NAMES:Content-Length|REQUEST_HEADERS_NAMES:Connection|REQUEST_HEADERS_NAMES:Cache-Control|REQUEST_HEADERS_NAMES:Cookie".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "x-requested-with"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:x-requested-with.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "x-requested-with"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept-language"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 14 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Accept-Language.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept-language"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "referer"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Referer.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "referer"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Accept.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "content-type"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "content-type"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept-encoding"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Accept-Encoding.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept-encoding"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "user-agent"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "user-agent"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "host"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Host.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "host"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "content-length"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Content-Length.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "content-length"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "connection"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Connection.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "connection"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "cache-control"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Cache-Control.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "cache-control"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Cookie.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d36ad8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "24"] [id "990902"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d36ad8: SecRule "REQUEST_FILENAME" "@pm nessustest appscan_fingerprint" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:%{matched_var},id:990902,tag:OWASP_CRS/AUTOMATION/SECURITY_SCANNER,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "nessustest appscan_fingerprint" against REQUEST_FILENAME.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d3e318; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d3e318: SecRule "REQUEST_HEADERS:User-Agent" "@pmFromFile modsecurity_35_bad_robots.data" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Rogue web site crawler',id:990012,tag:OWASP_CRS/AUTOMATION/MALICIOUS,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:4,capture,logdata:%{TX.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_35_bad_robots.data" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 32 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dbea28; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "25"] [id "950907"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dbea28: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:normalisePath,ctl:auditLogParts=+E,msg:'System Command Injection',id:950907,tag:OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION,tag:WASCTC/WASC-31,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) normalisePath: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) normalisePath: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dc9238; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dc9238: SecRule "ARGS" "@rx \\W{4,}" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,id:960024,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dc76a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "51"] [id "950008"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dc76a0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,msg:'Injection of Undocumented ColdFusion Tags',id:950008,tag:OWASP_CRS/WEB_ATTACK/CF_INJECTION,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\\b" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\\b" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dda308; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "65"] [id "950010"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dda308: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?:\\((?:\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\b\\W*?=|[^\\w\\x80-\\xFF]*?[\\!\\&\\|][^\\w\\x80-\\xFF]*?\\()|\\)[^\\w\\x80-\\xFF]*?\\([^\\w\\x80-\\xFF]*?[\\!\\&\\|])" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,msg:'LDAP Injection Attack',id:950010,tag:OWASP_CRS/WEB_ATTACK/LDAP_INJECTION,tag:WASCTC/WASC-29,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\((?:\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\b\\W*?=|[^\\w\\x80-\\xFF]*?[\\!\\&\\|][^\\w\\x80-\\xFF]*?\\()|\\)[^\\w\\x80-\\xFF]*?\\([^\\w\\x80-\\xFF]*?[\\!\\&\\|])" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\((?:\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\b\\W*?=|[^\\w\\x80-\\xFF]*?[\\!\\&\\|][^\\w\\x80-\\xFF]*?\\()|\\)[^\\w\\x80-\\xFF]*?\\([^\\w\\x80-\\xFF]*?[\\!\\&\\|])" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1de2220; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "79"] [id "950011"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1de2220: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <!--\\W*?#\\W*?(?:e(?:cho|xec)|printenv|include|cmd)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,msg:'SSI injection Attack',id:950011,tag:OWASP_CRS/WEB_ATTACK/SSI_INJECTION,tag:WASCTC/WASC-36,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_SSI_INJECTION"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!--\\W*?#\\W*?(?:e(?:cho|xec)|printenv|include|cmd)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 36 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!--\\W*?#\\W*?(?:e(?:cho|xec)|printenv|include|cmd)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 154 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dead10; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "93"] [id "950018"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dead10: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx http:\\/\\/[\\w\\.]+?\\/.*?\\.pdf\\b[^\\x0d\\x0a]*#" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Universal PDF XSS URL Detected.',id:950018,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "http:\\/\\/[\\w\\.]+?\\/.*?\\.pdf\\b[^\\x0d\\x0a]*#" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 28 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "http:\\/\\/[\\w\\.]+?\\/.*?\\.pdf\\b[^\\x0d\\x0a]*#" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1df00c0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "103"] [id "950019"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1df00c0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx [\\n\\r]\\s*\\b(?:to|b?cc)\\b\\s*:.*?\\@" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Email Injection Attack',id:950019,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[\\n\\r]\\s*\\b(?:to|b?cc)\\b\\s*:.*?\\@" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[\\n\\r]\\s*\\b(?:to|b?cc)\\b\\s*:.*?\\@" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dff538; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "134"] [id "950910"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dff538: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx [\\n\\r](?:content-(type|length)|set-cookie|location):" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:950910,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 43 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[\\n\\r](?:content-(type|length)|set-cookie|location):" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[\\n\\r](?:content-(type|length)|set-cookie|location):" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e05468; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "136"] [id "950911"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e05468: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:950911,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 25 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e0cdf8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "154"] [id "950117"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e0cdf8: SecRule "ARGS" "@rx ^(?i)(?:ht|f)tps?:\\/\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:950117,severity:2,tag:OWASP_CRS/WEB_ATTACK/RFI,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e0bf50; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "157"] [id "950118"] [rev "3"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e0bf50: SecRule "QUERY_STRING|REQUEST_BODY" "@rx (?i:(\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(ht|f)tps?:\\/\\/)" "phase:2,log,auditlog,status:403,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:950118,severity:2,tag:OWASP_CRS/WEB_ATTACK/RFI,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e18568; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "160"] [id "950119"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e18568: SecRule "ARGS" "@rx ^(?i)(?:ft|htt)ps?(.*?)\\?+$" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:950119,severity:2,tag:OWASP_CRS/WEB_ATTACK/RFI,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e155f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "163"] [id "950120"] [rev "3"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e155f0: SecRule "ARGS" "@rx ^(?:ht|f)tps?://(.*)$" "phase:2,log,auditlog,status:403,chain,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:950120,severity:2,tag:OWASP_CRS/WEB_ATTACK/RFI"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e1eee0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "170"] [id "981133"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e1eee0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,auditlog,status:403,id:981133,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_40_generic_attacks.data" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 29 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_40_generic_attacks.data" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 9 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1efc9d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "172"] [id "981134"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1efc9d8: SecRule "TX:PM_SCORE" "@eq 0" "phase:2,auditlog,status:403,id:981134,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,skipAfter:END_PM_CHECK,nolog"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1efdab8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "184"] [id "950009"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1efdab8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i)(?:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation Attack',id:950009,tag:OWASP_CRS/WEB_ATTACK/SESSION_FIXATION,tag:WASCTC/WASC-37,tag:OWASP_TOP_10/A3,tag:PCI/6.5.7,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 31 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f060b0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "188"] [id "950003"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f060b0: SecRule "ARGS_NAMES" "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" "phase:2,log,auditlog,status:403,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:7,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:950003,tag:OWASP_CRS/WEB_ATTACK/SESSION_FIXATION,tag:WASCTC/WASC-37,tag:OWASP_TOP_10/A3,tag:PCI/6.5.7,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f1d1a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "194"] [id "950000"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f1d1a0: SecRule "ARGS_NAMES" "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" "phase:2,log,auditlog,status:403,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:7,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:950000,tag:OWASP_CRS/WEB_ATTACK/SESSION_FIXATION,tag:WASCTC/WASC-37,tag:OWASP_TOP_10/A3,tag:PCI/6.5.7,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f2dcc0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "205"] [id "950005"] [rev "3"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f2dcc0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" "phase:2,log,auditlog,status:403,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'Remote File Access Attempt',id:950005,tag:OWASP_CRS/WEB_ATTACK/FILE_INJECTION,tag:WASCTC/WASC-33,tag:OWASP_TOP_10/A4,tag:PCI/6.5.4,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 14 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f3ad80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "213"] [id "950002"] [rev "3"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f3ad80: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\.exe\\b|cmd(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c))" "phase:2,log,auditlog,status:403,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'System Command Access',id:950002,tag:OWASP_CRS/WEB_ATTACK/FILE_INJECTION,tag:WASCTC/WASC-31,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\.exe\\b|cmd(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\.exe\\b|cmd(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f418b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "221"] [id "950006"] [rev "3"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f418b8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))" "phase:2,log,auditlog,status:403,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:950006,tag:OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION,tag:WASCTC/WASC-31,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f4b830; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "230"] [id "959151"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f4b830: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <\\?(?!xml)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:959151,severity:2,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:PCI/6.5.2,tag:WASCTC/WASC-25,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE4,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 31 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<\\?(?!xml)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 247 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<\\?(?!xml)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f59140; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "233"] [id "958976"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f59140: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:958976,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:PCI/6.5.2,tag:WASCTC/WASC-25,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE4,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f62970; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "236"] [id "958977"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f62970: SecRule "QUERY_STRING" "@pm allow_url_include= safe_mode= suhosin.simulation= disable_functions= open_basedir= auto_prepend_file= php://input" "phase:2,log,auditlog,status:403,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:9,t:none,t:urlDecodeUni,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:958977,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:PCI/6.5.2,tag:WASCTC/WASC-25,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE4,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f78b90; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "48"] [id "981231"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f78b90: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:981231,t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:2,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 14 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 9 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f81c80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "54"] [id "981260"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f81c80: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" "phase:2,log,auditlog,status:403,id:981260,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,capture,t:none,t:urlDecodeUni,block,msg:'SQL Hex Encoding Identified',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f868d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "63"] [id "981318"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f868d8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:981318,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f8e1a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "69"] [id "981319"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f8e1a0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:981319,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 15 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f9b410; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "76"] [id "950901"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f9b410: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?!\\2)([\\d\\w]+)\\b))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: SQL Tautology Detected.',id:950901,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?!\\2)([\\d\\w]+)\\b))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) replaceComments: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?!\\2)([\\d\\w]+)\\b))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) replaceComments: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fa9e18; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "83"] [id "981320"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fa9e18: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\.\\.sysdatabases|ysql\\.db)|s(?:ys(?:\\.database_name|aux)|chema(?:\\W*\\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\\W*\\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:981320,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_A
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 99 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\.\\.sysdatabases|ysql\\.db)|s(?:ys(?:\\.database_name|aux)|chema(?:\\W*\\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\\W*\\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\.\\.sysdatabases|ysql\\.db)|s(?:ys(?:\\.database_name|aux)|chema(?:\\W*\\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\\W*\\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fb6088; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "90"] [id "981300"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fb6088: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,auditlog,status:403,id:981300,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "select show top distinct from dual where group by order having limit offset union rownum as (case" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "select show top distinct from dual where group by order having limit offset union rownum as (case" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fb3698; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "91"] [id "981301"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fb3698: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord select" "phase:2,auditlog,status:403,id:981301,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fc0968; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "92"] [id "981302"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fc0968: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord show" "phase:2,auditlog,status:403,id:981302,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fc1828; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "93"] [id "981303"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fc1828: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord top" "phase:2,auditlog,status:403,id:981303,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fc69a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "94"] [id "981304"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fc69a8: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord distinct" "phase:2,auditlog,status:403,id:981304,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fc7890; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "95"] [id "981305"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fc7890: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord from" "phase:2,auditlog,status:403,id:981305,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fcc960; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "96"] [id "981306"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fcc960: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord dual" "phase:2,auditlog,status:403,id:981306,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fcd820; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "97"] [id "981307"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fcd820: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord where" "phase:2,auditlog,status:403,id:981307,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fd0780; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "98"] [id "981308"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fd0780: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains group by" "phase:2,auditlog,status:403,id:981308,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fd1640; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "99"] [id "981309"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fd1640: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains order by" "phase:2,auditlog,status:403,id:981309,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fce500; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "100"] [id "981310"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fce500: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord having" "phase:2,auditlog,status:403,id:981310,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fcf3d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "101"] [id "981311"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fcf3d8: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord limit" "phase:2,auditlog,status:403,id:981311,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fd66f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "102"] [id "981312"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fd66f0: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord offset" "phase:2,auditlog,status:403,id:981312,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fd75c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "103"] [id "981313"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fd75c8: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord union" "phase:2,auditlog,status:403,id:981313,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fdc560; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "104"] [id "981314"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fdc560: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains union all" "phase:2,auditlog,status:403,id:981314,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fdd428; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "105"] [id "981315"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fdd428: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains rownum as" "phase:2,auditlog,status:403,id:981315,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fde2f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "106"] [id "981316"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fde2f0: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains (case" "phase:2,auditlog,status:403,id:981316,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fe5508; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "107"] [id "981317"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fe5508: SecRule "TX:SQLI_SELECT_STATEMENT_COUNT" "@ge 3" "phase:2,log,auditlog,status:403,t:none,block,id:981317,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,msg:'SQL SELECT Statement Anomaly Detection Alert',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1febb20; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "115"] [id "950007"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1febb20: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\b(?:(?:s(?:ys\\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\\b.{0,40}\\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\\.(db|user))|c(?:onstraint_type|harindex)|waitfor\\b\\W*?\\bdelay|attnotnull)\\b|(?:locate|instr)\\W+\\()|\\@\\@spid\\b)|\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\\W+\\bchar|mb_users|rownum)\\b|t(?:able_name\\b|extpos\\W+\\()))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'Blind SQL Injection Attack',id:950007,tag:OWASP_CRS
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\b(?:(?:s(?:ys\\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\\b.{0,40}\\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\\.(db|user))|c(?:onstraint_type|harindex)|waitfor\\b\\W*?\\bdelay|attnotnull)\\b|(?:locate|instr)\\W+\\()|\\@\\@spid\\b)|\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\\W+\\bchar|mb_users|rownum)\\b|t(?:able_name\\b|extpos\\W+\\()))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\b(?:(?:s(?:ys\\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\\b.{0,40}\\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\\.(db|user))|c(?:onstraint_type|harindex)|waitfor\\b\\W*?\\bdelay|attnotnull)\\b|(?:locate|instr)\\W+\\()|\\@\\@spid\\b)|\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\\W+\\bchar|mb_users|rownum)\\b|t(?:able_name\\b|extpos\\W+\\()))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ff7800; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "124"] [id "950001"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ff7800: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtim
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|ti
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|ti
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2002a68; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "129"] [id "959070"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2002a68: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\b(?i:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?i:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:\\bcreate\\s+?table.{0,20}?\\()|(?i:\\blike\\W*?char\\W*?\\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?i:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:959070,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anoma
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(?i:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?i:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:\\bcreate\\s+?table.{0,20}?\\()|(?i:\\blike\\W*?char\\W*?\\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?i:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(?i:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?i:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:\\bcreate\\s+?table.{0,20}?\\()|(?i:\\blike\\W*?char\\W*?\\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?i:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2012af8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "132"] [id "959071"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2012af8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>])" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:959071,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>])" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>])" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 201a908; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "135"] [id "959072"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 201a908: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:959072,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2025878; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "139"] [id "950908"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2025878: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via" "@rx (?i:\\b(?:coalesce\\b|root\\@))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,id:950908,msg:'SQL Injection Attack.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\b(?:coalesce\\b|root\\@))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\b(?:coalesce\\b|root\\@))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 202e658; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "142"] [id "959073"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 202e658: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 19 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2037570; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "156"] [id "981172"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2037570: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES" "@rx ([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" "phase:2,log,auditlog,status:403,t:none,t:urlDecodeUni,block,id:981172,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 27 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2043900; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "158"] [id "981173"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2043900: SecRule "ARGS_NAMES|ARGS|XML:/*" "@rx ([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" "phase:2,log,auditlog,status:403,t:none,t:urlDecodeUni,block,id:981173,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2041500; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "176"] [id "981272"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2041500: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(sleep\\((\\s*?)(\\d*?)(\\s*?)\\)|benchmark\\((.*?)\\,(.*?)\\)))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects blind sqli tests using sleep() or benchmark().',id:981272,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(sleep\\((\\s*?)(\\d*?)(\\s*?)\\)|benchmark\\((.*?)\\,(.*?)\\)))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(sleep\\((\\s*?)(\\d*?)(\\s*?)\\)|benchmark\\((.*?)\\,(.*?)\\)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2051328; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "204"] [id "981244"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2051328: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?i:\\d[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+\\d)|(?:^admin\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|(\\/\\*)+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]?=\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W*?[+=]+\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(].*?$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W+[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\xc
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 17 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?i:\\d[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+\\d)|(?:^admin\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|(\\/\\*)+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]?=\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W*?[+=]+\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(].*?$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W+[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][<>~]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" a
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 14 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?i:\\d[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+\\d)|(?:^admin\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|(\\/\\*)+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]?=\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W*?[+=]+\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(].*?$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W+[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][<>~]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" a
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 204bf88; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "206"] [id "981255"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 204bf88: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?!\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*?\\([^\\)]*?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];?\\s*?(?:select|union|having)\\s*?[^\\s])|(?:\\wiif\\s*?\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*?select)|(?:select.*?\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MSSQL code execution and information gathering attempts',id:981255,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?!\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*?\\([^\\)]*?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];?\\s*?(?:select|union|having)\\s*?[^\\s])|(?:\\wiif\\s*?\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*?select)|(?:select.*?\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 14 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 16 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?!\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*?\\([^\\)]*?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];?\\s*?(?:select|union|having)\\s*?[^\\s])|(?:\\wiif\\s*?\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*?select)|(?:select.*?\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2060e38; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "208"] [id "981257"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2060e38: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:981257,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2067500; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "210"] [id "981248"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2067500: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98=()]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 1/2',id:981248,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98=()]))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 15 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98=()]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2070058; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "212"] [id "981277"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2070058: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.90738585072007e-308|1e309)$))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Looking for integer overflow attacks, these are taken from skipfish, except 2.2.90738585072007e-308 is the \"magic number\" crash',id:981277,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.90738585072007e-308|1e309)$))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.90738585072007e-308|1e309)$))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20720d0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "214"] [id "981250"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20720d0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*?\\(?\\s*?\\w+))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:981250,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*?\\(?\\s*?\\w+))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*?\\(?\\s*?\\w+))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 207c848; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "216"] [id "981241"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 207c848: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\\s()]case\\s*?\\()|(?:\\)\\s*?like\\s*?\\()|(?:having\\s*?[^\\s]+\\s*?[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*?[=<>~]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects conditional SQL injection attempts',id:981241,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\s()]case\\s*?\\()|(?:\\)\\s*?like\\s*?\\()|(?:having\\s*?[^\\s]+\\s*?[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*?[=<>~]))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\s()]case\\s*?\\()|(?:\\)\\s*?like\\s*?\\()|(?:having\\s*?[^\\s]+\\s*?[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*?[=<>~]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2080440; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "218"] [id "981252"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2080440: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:alter\\s*?\\w+.*?character\\s+set\\s+\\w+)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?waitfor\\s+time\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];.*?:\\s*?goto))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:981252,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:alter\\s*?\\w+.*?character\\s+set\\s+\\w+)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?waitfor\\s+time\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];.*?:\\s*?goto))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:alter\\s*?\\w+.*?character\\s+set\\s+\\w+)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?waitfor\\s+time\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];.*?:\\s*?goto))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 208a848; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "220"] [id "981256"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 208a848: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:merge.*?using\\s*?\\()|(execute\\s*?immediate\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),+-]+\\s*?against\\s*?\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:981256,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:merge.*?using\\s*?\\()|(execute\\s*?immediate\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),+-]+\\s*?against\\s*?\\())" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:merge.*?using\\s*?\\()|(execute\\s*?immediate\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),+-]+\\s*?against\\s*?\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2090d80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "222"] [id "981245"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2090d80: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*\\s*?\\w+\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^?\\w\\s=.,;)(]+\\s*?[(@\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]*?\\s*?\\w+\\W+\\w)|(?:select\\s+?[\\[\\]()\\s\\w\\.,\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+from\\s+)|(?:find_in_set\\s*?\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:981245,tag:OWAS
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*\\s*?\\w+\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^?\\w\\s=.,;)(]+\\s*?[(@\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]*?\\s*?\\w+\\W+\\w)|(?:select\\s+?[\\[\\]()\\s\\w\\.,\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+from\\s+)|(?:find_in_set\\s*?\\())" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*\\s*?\\w+\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^?\\w\\s=.,;)(]+\\s*?[(@\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]*?\\s*?\\w+\\W+\\w)|(?:select\\s+?[\\[\\]()\\s\\w\\.,\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+from\\s+)|(?:find_in_set\\s*?\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2095508; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "224"] [id "981276"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2095508: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:(union(.*?)select(.*?)from)))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',id:981276,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(union(.*?)select(.*?)from)))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 16 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(union(.*?)select(.*?)from)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2096c80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "226"] [id "981254"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2096c80: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:select\\s*?pg_sleep)|(?:waitfor\\s*?delay\\s?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?\\d)|(?:;\\s*?shutdown\\s*?(?:;|--|#|\\/\\*|{)))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:981254,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:select\\s*?pg_sleep)|(?:waitfor\\s*?delay\\s?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?\\d)|(?:;\\s*?shutdown\\s*?(?:;|--|#|\\/\\*|{)))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:select\\s*?pg_sleep)|(?:waitfor\\s*?delay\\s?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?\\d)|(?:;\\s*?shutdown\\s*?(?:;|--|#|\\/\\*|{)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20a3240; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "228"] [id "981270"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20a3240: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Finds basic MongoDB SQL injection attempts',id:981270,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20aeef8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "230"] [id "981240"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20aeef8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\)\\s*?when\\s*?\\d+\\s*?then)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:#|--|{))|(?:\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*?\\(\\s*?\\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\\s+|\\|\\||\\&\\&)\\s*?\\w+\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:981240,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\)\\s*?when\\s*?\\d+\\s*?then)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:#|--|{))|(?:\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*?\\(\\s*?\\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\\s+|\\|\\||\\&\\&)\\s*?\\w+\\())" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\)\\s*?when\\s*?\\d+\\s*?then)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:#|--|{))|(?:\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*?\\(\\s*?\\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\\s+|\\|\\||\\&\\&)\\s*?\\w+\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20b2d50; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "232"] [id "981249"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20b2d50: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+and\\s*?=\\W)|(?:\\(\\s*?select\\s*?\\w+\\s*?\\()|(?:\\*\\/from)|(?:\\+\\s*?\\d+\\s*?\\+\\s*?@)|(?:\\w[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:[-+=|@]+\\s*?)+[\\d(])|(?:coalesce\\s*?\\(|@@\\w+\\s*?[^\\w\\s])|(?:\\W!+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?(?:if|while|begin))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]+=\\s*?\\d)|(?:order\\s+by\\s+if\\w*?\\s*?\\()|(?:[\\s(]+case\\d*?\\W.+[tw]hen[\\s(]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 2/2',id:981249,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:t
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+and\\s*?=\\W)|(?:\\(\\s*?select\\s*?\\w+\\s*?\\()|(?:\\*\\/from)|(?:\\+\\s*?\\d+\\s*?\\+\\s*?@)|(?:\\w[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:[-+=|@]+\\s*?)+[\\d(])|(?:coalesce\\s*?\\(|@@\\w+\\s*?[^\\w\\s])|(?:\\W!+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?(?:if|while|begin))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]+=\\s*?\\d)|(?:order\\s+by\\s+if\\w*?\\s*?\\()|(?:[\\s(]+case\\d*?\\W.+[tw]hen[\\s(]))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+and\\s*?=\\W)|(?:\\(\\s*?select\\s*?\\w+\\s*?\\()|(?:\\*\\/from)|(?:\\+\\s*?\\d+\\s*?\\+\\s*?@)|(?:\\w[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:[-+=|@]+\\s*?)+[\\d(])|(?:coalesce\\s*?\\(|@@\\w+\\s*?[^\\w\\s])|(?:\\W!+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?(?:if|while|begin))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]+=\\s*?\\d)|(?:order\\s+by\\s+if\\w*?\\s*?\\()|(?:[\\s(]+case\\d*?\\W.+[tw]hen[\\s(]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20b7690; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "234"] [id "981253"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20b7690: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:procedure\\s+analyse\\s*?\\()|(?:;\\s*?(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-)|(?:declare[^\\w]+[@#]\\s*?\\w+)|(exec\\s*?\\(\\s*?@))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:981253,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:procedure\\s+analyse\\s*?\\()|(?:;\\s*?(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-)|(?:declare[^\\w]+[@#]\\s*?\\w+)|(exec\\s*?\\(\\s*?@))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:procedure\\s+analyse\\s*?\\()|(?:;\\s*?(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-)|(?:declare[^\\w]+[@#]\\s*?\\w+)|(exec\\s*?\\(\\s*?@))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20c1fa0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "236"] [id "981242"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20c1fa0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))+\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\|\\||\\&\\&)\\s*?[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*?[|-]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\w)|(?:@\\w+\\s+(and|x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d]+)|(?:@[\\w-]+\\s(and|x?or|div|like|between|and)\\s*?[^\\w\\s])|(?:[^\\w\\s:]\\s*?\\d\\W+[^\\w\\s]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].)|(?:\\Winformation_schema|table_name\\W))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))+\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\|\\||\\&\\&)\\s*?[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*?[|-]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\w)|(?:@\\w+\\s+(and|x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d]+)|(?:@[\\w-]+\\s(and|x?or|div|like|between|and)\\s*?[^\\w\\s])|(?:[^\\w\\s:]\\s*?\\d\\W+[^\\w\\s]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].)|(?:\\Winformation_schema|table_name\\W))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 16 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))+\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\|\\||\\&\\&)\\s*?[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*?[|-]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\w)|(?:@\\w+\\s+(and|x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d]+)|(?:@[\\w-]+\\s(and|x?or|div|like|between|and)\\s*?[^\\w\\s])|(?:[^\\w\\s:]\\s*?\\d\\W+[^\\w\\s]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].)|(?:\\Winformation_schema|table_name\\W))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20ca928; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "238"] [id "981246"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20ca928: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\\d]+x))|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\d\\s*?(?:--|#))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?\\d.+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\|?[\\w-]{3,}[^\\w\\s.,]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 3/3',id:
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\\d]+x))|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\d\\s*?(?:--|#))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?\\d.+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\|?[\\w-]{3,}[^\\w\\s.,]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\\d]+x))|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\d\\s*?(?:--|#))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?\\d.+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\|?[\\w-]{3,}[^\\w\\s.,]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20d13a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "240"] [id "981251"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20d13a0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?[\\[(]?\\w{2,}))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:981251,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?[\\[(]?\\w{2,}))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?[\\[(]?\\w{2,}))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20d50a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "242"] [id "981247"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20d50a0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*?\\);)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+regexp\\W)|(?:[\\s(]load_file\\s*?\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:981247,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*?\\);)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+regexp\\W)|(?:[\\s(]load_file\\s*?\\())" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*?\\);)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+regexp\\W)|(?:[\\s(]load_file\\s*?\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20e19d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "244"] [id "981243"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20e19d8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]*?[^\\w\\s]+\\W*?\\d\\W*?.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s?]+\\s*?[^\\w\\s]+\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]+\\s*?[\\W\\d].*?(?:#|--))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?\\*\\s*?\\d)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s[^\\d]+[\\w-]+.*?\\d)|(?:[()\\*<>%+-][\\w-]+[^\\w\\s]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][^,]))" "phase:2,log,a
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]*?[^\\w\\s]+\\W*?\\d\\W*?.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s?]+\\s*?[^\\w\\s]+\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]+\\s*?[\\W\\d].*?(?:#|--))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?\\*\\s*?\\d)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s[^\\d]+[\\w-]+.*?\\d)|(?:[()\\*<>%+-][\\w-]+[^\\w\\s]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][^,]))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 59 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]*?[^\\w\\s]+\\W*?\\d\\W*?.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s?]+\\s*?[^\\w\\s]+\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]+\\s*?[\\W\\d].*?(?:#|--))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?\\*\\s*?\\d)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s[^\\d]+[\\w-]+.*?\\d)|(?:[()\\*<>%+-][\\w-]+[^\\w\\s]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][^,]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20e4b00; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "14"] [id "973336"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20e4b00: SecRule "ARGS" "@rx (?i)(<script[^>]*>[\\s\\S]*?<\\/script[^>]*>|<script[^>]*>[\\s\\S]*?<\\/script[[\\s\\S]]*[\\s\\S]|<script[^>]*>[\\s\\S]*?<\\/script[\\s]*[\\s]|<script[^>]*>[\\s\\S]*?<\\/script|<script[^>]*>[\\s\\S]*?)" "phase:2,deny,auditlog,status:403,id:973336,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:8,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag Vector',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20f0628; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "21"] [id "973337"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20f0628: SecRule "ARGS" "@rx (?i)([\\s\"'`;\\/0-9\\=]+on\\w+\\s*=)" "phase:2,deny,auditlog,status:403,id:973337,t:none,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:8,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 2: Event Handler Vector',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20f7af8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "28"] [id "973338"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20f7af8: SecRule "ARGS" "@rx (?i)((?:=|U\\s*R\\s*L\\s*\\()\\s*[^>]*\\s*S\\s*C\\s*R\\s*I\\s*P\\s*T\\s*:|&colon;|[\\s\\S]allowscriptaccess[\\s\\S]|[\\s\\S]src[\\s\\S]|[\\s\\S]data:text\\/html[\\s\\S]|[\\s\\S]xlink:href[\\s\\S]|[\\s\\S]base64[\\s\\S]|[\\s\\S]xmlns[\\s\\S]|[\\s\\S]xhtml[\\s\\S]|[\\s\\S]style[\\s\\S]|<style[^>]*>[\\s\\S]*?|[\\s\\S]@import[\\s\\S]|<applet[^>]*>[\\s\\S]*?|<meta[^>]*>[\\s\\S]*?|<object[^>]*>[\\s\\S]*?)" "phase:2,deny,auditlog,status:403,id:973338,t:none,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:8,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,msg:'XSS Filter - Category 3: Javascript URI Vector',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.i
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2100708; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "35"] [id "981136"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2100708: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pm jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" "phase:2,auditlog,status:403,id:981136,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,setvar:tx.pm_xss_score=+%{tx.critical_anomaly_score}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 32 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 214ea58; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "37"] [id "981018"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 214ea58: SecRule "&TX:PM_XSS_SCORE" "@eq 0" "phase:2,auditlog,status:403,id:981018,t:none,skipAfter:END_XSS_CHECK,nolog"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &TX:PM_XSS_SCORE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Operator EQ matched 0 at TX. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "37"] [id "981018"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 214ea58 id="END_XSS_CHECK" -> mode SKIP_RULES.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958016" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958414" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958032" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958026" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958027" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958054" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958418" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958034" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958019" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958013" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958408" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958012" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958423" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958002" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958017" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958007" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958047" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958410" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958415" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958022" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958405" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958419" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958028" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958057" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958031" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958006" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958033" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958038" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958409" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958001" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958005" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958404" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958023" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958010" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958411" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958422" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958036" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958000" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958018" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958406" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958040" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958052" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958037" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958049" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958030" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958041" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958416" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958024" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958059" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958417" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958020" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958045" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958004" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958421" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958009" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958025" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958413" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958051" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958420" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958407" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958056" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958011" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958412" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958008" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958046" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958039" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958003" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 1d23298 id="END_XSS_CHECK".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_XSS_CHECK".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d33da8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "301"] [id "973300"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d33da8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973300,capture,t:none,t:jsDecode,t:lowercase,block,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) jsDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) jsDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d42918; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "304"] [id "973301"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d42918: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\ballowscriptaccess\\b|\\brel\\b\\W*?=" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973301,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\ballowscriptaccess\\b|\\brel\\b\\W*?=" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\ballowscriptaccess\\b|\\brel\\b\\W*?=" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d558b0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "309"] [id "973302"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d558b0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx .+application/x-shockwave-flash|image/svg\\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973302,capture,t:none,t:htmlEntityDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param ".+application/x-shockwave-flash|image/svg\\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param ".+application/x-shockwave-flash|image/svg\\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d76fb8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "317"] [id "973303"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d76fb8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\\b\\W*?=" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973303,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\\b\\W*?=" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\\b\\W*?=" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1da1e00; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "333"] [id "973304"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1da1e00: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973304,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dca398; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "351"] [id "973305"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dca398: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (asfunction|javascript|vbscript|data|mocha|livescript):" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973305,capture,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeNulls: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeWhitespace: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 38 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(asfunction|javascript|vbscript|data|mocha|livescript):" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeNulls: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeWhitespace: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 39 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(asfunction|javascript|vbscript|data|mocha|livescript):" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dde428; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "359"] [id "973306"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dde428: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\bstyle\\b\\W*?=" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973306,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bstyle\\b\\W*?=" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bstyle\\b\\W*?=" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e028c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "391"] [id "973307"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e028c8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (fromcharcode|alert|eval)\\s*\\(" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973307,capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) jsDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(fromcharcode|alert|eval)\\s*\\(" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) jsDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 29 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(fromcharcode|alert|eval)\\s*\\(" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e28f48; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "417"] [id "973308"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e28f48: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx background\\b\\W*?:\\W*?url|background-image\\b\\W*?:|behavior\\b\\W*?:\\W*?url|-moz-binding\\b|@import\\b|expression\\b\\W*?\\(" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973308,capture,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cssDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) replaceComments: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 48 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "background\\b\\W*?:\\W*?url|background-image\\b\\W*?:|behavior\\b\\W*?:\\W*?url|-moz-binding\\b|@import\\b|expression\\b\\W*?\\(" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cssDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) replaceComments: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 47 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "background\\b\\W*?:\\W*?url|background-image\\b\\W*?:|behavior\\b\\W*?:\\W*?url|-moz-binding\\b|@import\\b|expression\\b\\W*?\\(" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e6d5e0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "421"] [id "973309"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e6d5e0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <!\\[cdata\\[|\\]\\]>" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973309,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!\\[cdata\\[|\\]\\]>" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!\\[cdata\\[|\\]\\]>" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e83cc0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "432"] [id "973310"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e83cc0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx [/'\"<]xss[/'\">]" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973310,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[/'\"<]xss[/'\">]" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[/'\"<]xss[/'\">]" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e904b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "437"] [id "973311"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e904b8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (88,83,83)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973311,capture,t:none,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:lowercase,block,msg:'XSS Attack Detected',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(88,83,83)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(88,83,83)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e9f158; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "442"] [id "973312"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e9f158: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx '';!--\"<xss>=&{()}" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973312,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "'';!--\"<xss>=&{()}" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "'';!--\"<xss>=&{()}" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ecabf8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "447"] [id "973313"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ecabf8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx &{" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973313,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,block,msg:'XSS Attack Detected',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "&{" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "&{" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ee14e0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "464"] [id "973314"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ee14e0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <!(doctype|entity)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973314,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!(doctype|entity)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!(doctype|entity)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ef8430; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "472"] [id "973331"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ef8430: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<script.*?>)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973331,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<script.*?>)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<script.*?>)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f07d08; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "474"] [id "973315"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f07d08: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973315,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f2fc70; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "476"] [id "973330"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f2fc70: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<script.*?[ /+\\t]*?((src)|(xlink:href)|(href))[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973330,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<script.*?[ /+\\t]*?((src)|(xlink:href)|(href))[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<script.*?[ /+\\t]*?((src)|(xlink:href)|(href))[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f47600; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "478"] [id "973327"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f47600: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<[i]?frame.*?[ /+\\t]*?src[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973327,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<[i]?frame.*?[ /+\\t]*?src[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<[i]?frame.*?[ /+\\t]*?src[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f5d3e0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "480"] [id "973326"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f5d3e0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<.*[:]vmlframe.*?[ /+\\t]*?src[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973326,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 28 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<.*[:]vmlframe.*?[ /+\\t]*?src[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<.*[:]vmlframe.*?[ /+\\t]*?src[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f72ef8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "482"] [id "973346"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f72ef8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 76 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" agai
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" agai
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f97dc8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "484"] [id "973345"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f97dc8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973345,capture,logdata:'Matc
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fbd878; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "486"] [id "973324"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fbd878: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<EMBED[ /+\\t].*?((src)|(type)).*?=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973324,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<EMBED[ /+\\t].*?((src)|(type)).*?=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 56 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<EMBED[ /+\\t].*?((src)|(type)).*?=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fdb528; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "488"] [id "973323"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fdb528: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<[?]?import[ /+\\t].*?implementation[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973323,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<[?]?import[ /+\\t].*?implementation[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<[?]?import[ /+\\t].*?implementation[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ffee08; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "490"] [id "973322"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ffee08: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<META[ /+\\t].*?http-equiv[ /+\\t]*=[ /+\\t]*[\"\\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973322,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<META[ /+\\t].*?http-equiv[ /+\\t]*=[ /+\\t]*[\"\\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<META[ /+\\t].*?http-equiv[ /+\\t]*=[ /+\\t]*[\"\\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2014a78; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "492"] [id "973348"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2014a78: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<META[ /+\\t].*?charset[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973348,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<META[ /+\\t].*?charset[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<META[ /+\\t].*?charset[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2030b88; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "494"] [id "973321"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2030b88: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<LINK[ /+\\t].*?href[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973321,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<LINK[ /+\\t].*?href[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 95 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<LINK[ /+\\t].*?href[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 202b470; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "496"] [id "973320"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 202b470: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<BASE[ /+\\t].*?href[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973320,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<BASE[ /+\\t].*?href[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 70 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<BASE[ /+\\t].*?href[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 205d7c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "498"] [id "973318"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 205d7c8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<APPLET[ /+\\t>])" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973318,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<APPLET[ /+\\t>])" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<APPLET[ /+\\t>])" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2077128; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "500"] [id "973317"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2077128: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<OBJECT[ /+\\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973317,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<OBJECT[ /+\\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<OBJECT[ /+\\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2099650; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "504"] [id "973347"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2099650: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'].*?[,].*(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]*(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]*(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]*(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\\\u0067)|(\\147)|(\\x67)))).*?:)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973347,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWA
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'].*?[,].*(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]*(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]*(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]*(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\\\u0067)|(\\147)|(\\x67)))).*?:)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'].*?[,].*(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]*(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]*(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]*(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\\\u0067)|(\\147)|(\\x67)))).*?:)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 49 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20c0ad0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20c0ad0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\(.*?\\))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973335,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 53 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\(.*?\\))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\(.*?\\))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20da648; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "508"] [id "973334"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20da648: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'].*?\\)[ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\()" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973334,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 228 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'].*?\\)[ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\()" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'].*?\\)[ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\()" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20f81c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20f81c8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[.].+?=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973333,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[.].+?=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 48 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[.].+?=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2116d98; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "512"] [id "973344"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2116d98: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[\\[].*?[\\]].*?=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973344,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[\\[].*?[\\]].*?=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[\\[].*?[\\]].*?=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2132b78; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "514"] [id "973332"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2132b78: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973332,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critic
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 108 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2152030; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "516"] [id "973329"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2152030: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<form.*?>)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973329,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<form.*?>)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<form.*?>)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2169558; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "518"] [id "973328"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2169558: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<isindex[ /+\\t>])" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973328,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<isindex[ /+\\t>])" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<isindex[ /+\\t>])" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2187608; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "520"] [id "973316"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2187608: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[ /+\\t\"\\'`]style[ /+\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973316,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]style[ /+\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]style[ /+\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 21a5338; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "522"] [id "973325"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 21a5338: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[ /+\\t\"\\'`]on\\[a-z]\\[a-z]\\[a-z]+?[ +\\t]*?=.)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973325,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]on\\[a-z]\\[a-z]\\[a-z]+?[ +\\t]*?=.)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 50 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]on\\[a-z]\\[a-z]\\[a-z]+?[ +\\t]*?=.)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 21cace8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "524"] [id "973319"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 21cace8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[ /+\\t\"\\'`]datasrc[ +\\t]*?=.)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973319,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]datasrc[ +\\t]*?=.)" against REQUEST_COOKIES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 19 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]datasrc[ +\\t]*?=.)" against REQUEST_COOKIES_NAMES:ACE_COOKIE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2208750; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "31"] [id "958297"] [rev "2.2.9"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2208750: SecRule "REQUEST_HEADERS:User-Agent" "@pmFromFile modsecurity_42_comment_spam.data" "phase:2,status:404,chain,rev:2.2.9,t:none,t:lowercase,pass,nolog,auditlog,msg:'Common SPAM/Email Harvester crawler',id:958297,tag:AUTOMATION/MALICIOUS,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 24 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_42_comment_spam.data" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 15 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.msg=%{rule.msg}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{rule.msg} to: Common SPAM/Email Harvester crawler
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.msg" to "Common SPAM/Email Harvester crawler".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.automation_score=+%{tx.warning_anomaly_score}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Recorded original collection variable: tx.automation_score = "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.warning_anomaly_score} to: 3
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Relative change: automation_score=0+3
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.automation_score" to "3".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.anomaly_score=+%{tx.warning_anomaly_score}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Recorded original collection variable: tx.anomaly_score = "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.warning_anomaly_score} to: 3
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Relative change: anomaly_score=0+3
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.anomaly_score" to "3".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{rule.id} to: 958297
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{matched_var_name} to: REQUEST_HEADERS:User-Agent
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{matched_var} to: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.958297-AUTOMATION/MALICIOUS-REQUEST_HEADERS:User-Agent" to "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 22548b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "32"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 22548b8: SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(?:m(?:o(?:zilla\\/4\\.0\\+?\\(|vable type)|i(?:crosoft url|ssigua)|j12bot\\/v1\\.0\\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\\/| )1\\.)|c(?:ore-project\\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\\/|httpproxy|<sc)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(?:m(?:o(?:zilla\\/4\\.0\\+?\\(|vable type)|i(?:crosoft url|ssigua)|j12bot\\/v1\\.0\\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\\/| )1\\.)|c(?:ore-project\\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\\/|httpproxy|<sc)" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 225c598; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "36"] [id "999010"] [rev "2.2.9"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 225c598: SecRule "ARGS|ARGS_NAMES" "@rx \\bhttp:" "phase:2,auditlog,status:403,rev:2.2.9,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,id:999010,severity:6"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 226de20; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "38"] [id "999011"] [rev "2.2.9"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 226de20: SecAction "phase:2,auditlog,status:403,id:999011,rev:2.2.9,nolog,skipAfter:END_COMMENT_SPAM"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "38"] [id "999011"] [rev "2.2.9"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 226de20 id="END_COMMENT_SPAM" -> mode SKIP_RULES.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="950923" [chained 0] is trying to find the SecMarker="END_COMMENT_SPAM" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="(null)" [chained 1] is trying to find the SecMarker="END_COMMENT_SPAM" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="950020" [chained 0] is trying to find the SecMarker="END_COMMENT_SPAM" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 2304710 id="END_COMMENT_SPAM".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_COMMENT_SPAM".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2304e78; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_tight_security.conf"] [line "20"] [id "950103"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2304e78: SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@rx (?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:7,t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:950103,severity:2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,capture,tag:OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" to "REQUEST_URI|REQUEST_HEADERS:x-requested-with|REQUEST_HEADERS:Accept-Language|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Accept-Encoding|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Content-Length|REQUEST_HEADERS:Connection|REQUEST_HEADERS:Cache-Control|REQUEST_HEADERS:Cookie".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_URI.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:x-requested-with.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "XMLHttpRequest"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Accept-Language.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "en-gb"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Accept.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json, text/javascript, */*; q=0.01"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 30 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 15 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=UTF-8"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Accept-Encoding.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "gzip, deflate"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Host.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "xxx.yyy.com"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Content-Length.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "51"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Connection.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Keep-Alive"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Cache-Control.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "no-cache"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 7 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Cookie.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE=R106026280"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2313478; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_45_trojans.conf"] [line "31"] [id "950110"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2313478: SecRule "REQUEST_HEADERS_NAMES" "@rx x_(?:key|file)\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:950110,tag:OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN,tag:WASCTC/WASC-01,tag:OWASP_TOP_10/A7,tag:PCI/5.1.1,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_HEADERS_NAMES" to "REQUEST_HEADERS_NAMES:x-requested-with|REQUEST_HEADERS_NAMES:Accept-Language|REQUEST_HEADERS_NAMES:Referer|REQUEST_HEADERS_NAMES:Accept|REQUEST_HEADERS_NAMES:Content-Type|REQUEST_HEADERS_NAMES:Accept-Encoding|REQUEST_HEADERS_NAMES:User-Agent|REQUEST_HEADERS_NAMES:Host|REQUEST_HEADERS_NAMES:Content-Length|REQUEST_HEADERS_NAMES:Connection|REQUEST_HEADERS_NAMES:Cache-Control|REQUEST_HEADERS_NAMES:Cookie".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "x-requested-with"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:x-requested-with.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "x-requested-with"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept-language"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Accept-Language.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept-language"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "referer"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 63 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Referer.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "referer"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Accept.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "content-type"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Content-Type.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "content-type"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept-encoding"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Accept-Encoding.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept-encoding"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "user-agent"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 16 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "user-agent"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "host"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Host.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "host"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "content-length"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 29 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Content-Length.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "content-length"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "connection"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Connection.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "connection"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "cache-control"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Cache-Control.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "cache-control"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Cookie.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "cookie"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 231ddc8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_45_trojans.conf"] [line "33"] [id "950921"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 231ddc8: SecRule "REQUEST_FILENAME" "@rx root\\.exe" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:950921,tag:OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN,tag:WASCTC/WASC-01,tag:OWASP_TOP_10/A7,tag:PCI/5.1.1,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 97 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "root\\.exe" against REQUEST_FILENAME.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b750d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_47_common_exceptions.conf"] [line "16"] [id "981020"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b750d8: SecRule "REQUEST_LINE" "@rx ^GET /$" "phase:2,auditlog,status:403,chain,id:981020,t:none,pass,nolog"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^GET /$" against REQUEST_LINE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST /scan/info/authenticate/login/ HTTP/1.1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b83748; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_47_common_exceptions.conf"] [line "24"] [id "981021"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b83748: SecRule "REQUEST_LINE" "@rx ^(GET /|OPTIONS \\*) HTTP/1.0$" "phase:2,auditlog,status:403,chain,id:981021,t:none,pass,nolog"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(GET /|OPTIONS \\*) HTTP/1.0$" against REQUEST_LINE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST /scan/info/authenticate/login/ HTTP/1.1"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 13 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b905f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_47_common_exceptions.conf"] [line "34"] [id "981022"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b905f0: SecRule "REQUEST_METHOD" "@streq POST" "phase:2,auditlog,status:403,chain,id:981022,t:none,pass,nolog"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "streq" with param "POST" against REQUEST_METHOD.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b90f70; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_47_common_exceptions.conf"] [line "35"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b90f70: SecRule "REQUEST_HEADERS:User-Agent" "@contains Adobe Flash Player" "chain,t:none"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "contains" with param "Adobe Flash Player" against REQUEST_HEADERS:User-Agent.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b99c68; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "19"] [id "981175"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b99c68: SecRule "TX:ANOMALY_SCORE" "@gt 0" "phase:2,auditlog,status:403,chain,id:981175,t:none,deny,log,msg:'Inbound Attack Targeting OSVDB Flagged Resource.',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "gt" with param "0" against TX:anomaly_score.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_tx_msg=%{tx.msg}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.msg} to: Common SPAM/Email Harvester crawler
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_tx_msg" to "Common SPAM/Email Harvester crawler".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_anomaly_score=%{tx.anomaly_score}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.anomaly_score} to: 3
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_anomaly_score" to "3".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b9ae98; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "20"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b9ae98: SecRule "RESOURCE:OSVDB_VULNERABLE" "@eq 1" "chain"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b9db30; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b9db30: SecRule "TX:ANOMALY_SCORE" "@gt 0" "phase:2,auditlog,status:403,chain,id:981176,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "gt" with param "0" against TX:anomaly_score.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_tx_msg=%{tx.msg}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.msg} to: Common SPAM/Email Harvester crawler
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_tx_msg" to "Common SPAM/Email Harvester crawler".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_anomaly_score=%{tx.anomaly_score}
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.anomaly_score} to: 3
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_anomaly_score" to "3".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b9fba8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "27"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b9fba8: SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_level}" "chain"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "ge" with param "%{tx.inbound_anomaly_score_level}" against TX:anomaly_score.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.inbound_anomaly_score_level} to: 5
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 38 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Hook insert_filter: Adding input forwarding filter (r 7fbe1c002970).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Hook insert_filter: Adding output filter (r 7fbe1c002970).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Forwarding input: mode=0, block=0, nbytes=16384 (f 7fbe180018d0, r 7fbe1c002970).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Forwarded 51 bytes.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Sent EOS.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Input forwarding complete.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Receiving output (f 7fbe180018f8, r 7fbe1c002970).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase RESPONSE_HEADERS.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 23 rule(s).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Output filter: Not buffering response body for unconfigured MIME type "application/json".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Content Injection: Not enabled.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Sending input brigade directly.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Receiving output (f 7fbe180018f8, r 7fbe1c002970).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Sending input brigade directly.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Receiving output (f 7fbe180018f8, r 7fbe1c002970).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Output filter: Completed receiving response body (non-buffering).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 62 rule(s).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b701d0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_45_trojans.conf"] [line "35"] [id "950922"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b701d0: SecRule "RESPONSE_BODY" "@rx (?:<title>[^<]*?(?:\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\\b|\\.::(?:news remote php shell injection::\\.| rhtools\\b)|ph(?:p(?:(?: commander|-terminal)\\b|remoteview)|vayv)|myshell)|\\b(?:(?:(?:microsoft windows\\b.{0,10}?\\bversion\\b.{0,20}?\\(c\\) copyright 1985-.{0,10}?\\bmicrosoft corp|ntdaddy v1\\.9 - obzerve \\| fux0r inc)\\.|(?:www\\.sanalteror\\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\\b|aventgrup\\.<br>|drwxr))" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,t:none,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:950922,tag:OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN,tag:WASCTC/WASC-01,tag:OWASP_TOP_10/A7,tag:PCI/5.1.1,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.error_anomaly_
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:<title>[^<]*?(?:\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\\b|\\.::(?:news remote php shell injection::\\.| rhtools\\b)|ph(?:p(?:(?: commander|-terminal)\\b|remoteview)|vayv)|myshell)|\\b(?:(?:(?:microsoft windows\\b.{0,10}?\\bversion\\b.{0,20}?\\(c\\) copyright 1985-.{0,10}?\\bmicrosoft corp|ntdaddy v1\\.9 - obzerve \\| fux0r inc)\\.|(?:www\\.sanalteror\\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\\b|aventgrup\\.<br>|drwxr))" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ba1000; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "20"] [id "970007"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ba1000: SecRule "RESPONSE_BODY" "@rx <h2>Site Error<\\/h2>.{0,20}<p>An error was encountered while publishing this resource\\." "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Zope Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970007,tag:OWASP_CRS/LEAKAGE/ERRORS_ZOPE,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<h2>Site Error<\\/h2>.{0,20}<p>An error was encountered while publishing this resource\\." against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ba9238; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "24"] [id "970008"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ba9238: SecRule "RESPONSE_BODY" "@rx \\bThe error occurred in\\b.{0,100}: line\\b.{0,1000}\\bColdFusion\\b.*?\\bStack Trace \\(click to expand\\)" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970008,tag:OWASP_CRS/LEAKAGE/ERRORS_CF,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bThe error occurred in\\b.{0,100}: line\\b.{0,1000}\\bColdFusion\\b.*?\\bStack Trace \\(click to expand\\)" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1baf9a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "28"] [id "970009"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1baf9a8: SecRule "RESPONSE_BODY" "@rx <b>Warning<\\/b>.{0,100}?:.{0,1000}?\\bon line\\b" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970009,tag:OWASP_CRS/LEAKAGE/ERRORS_PHP,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<b>Warning<\\/b>.{0,100}?:.{0,1000}?\\bon line\\b" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bb6348; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "32"] [id "970010"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bb6348: SecRule "RESPONSE_BODY" "@rx \\b403 Forbidden\\b.*?\\bInternet Security and Acceleration Server\\b" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'ISA server existence revealed',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970010,tag:MISCONFIGURATION,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b403 Forbidden\\b.*?\\bInternet Security and Acceleration Server\\b" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bbc768; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "36"] [id "970012"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bbc768: SecRule "RESPONSE_BODY" "@rx <o:documentproperties>" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,block,msg:'Microsoft Office document properties leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970012,tag:OWASP_CRS/LEAKAGE/INFO_STATISTICS,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<o:documentproperties>" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bc4af8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "39"] [id "970903"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bc4af8: SecRule "RESPONSE_BODY" "@rx \\<\\%" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970903,tag:OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\<\\%" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bc3198; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "45"] [id "970016"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bc3198: SecRule "RESPONSE_BODY" "@rx <cf" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970016,tag:OWASP_CRS/LEAKAGE/SOURCE_CODE_CF,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<cf" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bcb1d0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "49"] [id "970018"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bcb1d0: SecRule "RESPONSE_BODY" "@rx [a-z]:\\\\inetpub\\b" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,t:lowercase,ctl:auditLogParts=+E,block,msg:'IIS installed in default location',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970018,severity:3,chain"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 9 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[a-z]:\\\\inetpub\\b" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bd25e8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bd25e8: SecRule "RESPONSE_STATUS" "@rx ^5\\d{2}$" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970901,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^5\\d{2}$" against RESPONSE_STATUS.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "200"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c33700; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "55"] [id "970118"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c33700: SecRule "RESPONSE_BODY" "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)<br>Timeout expired<br>)|<h1>internal server error<\\/h1>.*?<h2>part of the server has crashed or it has a configuration error\\.<\\/h2>|cannot connect to the server: timed out)" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970118,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:Microsoft OLE DB Provider for SQL Server(?:<\\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)<br>Timeout expired<br>)|<h1>internal server error<\\/h1>.*?<h2>part of the server has crashed or it has a configuration error\\.<\\/h2>|cannot connect to the server: timed out)" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c38020; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "58"] [id "970021"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c38020: SecRule "RESPONSE_STATUS" "@rx ^500$" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'WebLogic information disclosure',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970021,severity:3"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^500$" against RESPONSE_STATUS.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "200"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c3d3a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "62"] [id "970011"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c3d3a8: SecRule "RESPONSE_BODY" "@rx href\\s?=[\\s\"\\']*[A-Za-z]\\:\\x5c([^\"\\']+)" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,chain,capture,t:none,ctl:auditLogParts=+E,block,msg:'File or Directory Names Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970011,tag:OWASP_CRS/LEAKAGE/INFO_FILE,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "href\\s?=[\\s\"\\']*[A-Za-z]\\:\\x5c([^\"\\']+)" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c458d0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "69"] [id "981177"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c458d0: SecRule "RESPONSE_BODY" "!@pm iframe" "phase:4,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!pm" with param "iframe" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Match of "pm iframe" against "RESPONSE_BODY" required. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "69"] [id "981177"] [rev "2"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "6"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 1c458d0 id="END_IFRAME_CHECK" -> mode SKIP_RULES.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981000" [chained 0] is trying to find the SecMarker="END_IFRAME_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981001" [chained 0] is trying to find the SecMarker="END_IFRAME_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981003" [chained 0] is trying to find the SecMarker="END_IFRAME_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 1c59608 id="END_IFRAME_CHECK".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_IFRAME_CHECK".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c59c80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "84"] [id "981004"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c59c80: SecRule "RESPONSE_BODY" "@rx (?i)(String\\.fromCharCode\\(.*?){4,}" "phase:4,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Excessive fromCharCode',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:981004,tag:OWASP_CRS/MALICIOUS_CODE,tag:bugtraq,13544,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(String\\.fromCharCode\\(.*?){4,}" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c5daa8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "87"] [id "981005"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c5daa8: SecRule "RESPONSE_BODY" "@rx (?i)(eval\\(.{0,15}unescape\\()" "phase:4,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Eval+Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:981005,tag:OWASP_CRS/MALICIOUS_CODE,tag:bugtraq,13544,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(eval\\(.{0,15}unescape\\()" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c65a80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "90"] [id "981006"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c65a80: SecRule "RESPONSE_BODY" "@rx (?i)(var[^=]+=\\s*unescape\\s*;)" "phase:4,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:981006,tag:OWASP_CRS/MALICIOUS_CODE,tag:bugtraq,13544,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(var[^=]+=\\s*unescape\\s*;)" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c6bab8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "93"] [id "981007"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c6bab8: SecRule "RESPONSE_BODY" "@rx (?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" "phase:4,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Heap Spray',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:981007,tag:OWASP_CRS/MALICIOUS_CODE,tag:bugtraq,13544,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c719b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "102"] [id "981178"] [rev "2"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c719b8: SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" "phase:4,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 24 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!pmFromFile" with param "modsecurity_50_outbound.data" against RESPONSE_BODY.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: ""
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Match of "pmFromFile modsecurity_50_outbound.data" against "RESPONSE_BODY" required. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "102"] [id "981178"] [rev "2"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 1c719b8 id="END_OUTBOUND_CHECK" -> mode SKIP_RULES.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970014" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970015" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970902" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="(null)" [chained 1] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970002" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970003" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970004" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970904" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="(null)" [chained 1] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970013" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 227ead0 id="END_OUTBOUND_CHECK".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_OUTBOUND_CHECK".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 227efe8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_59_outbound_blocking.conf"] [line "24"] [id "981200"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 227efe8: SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge %{tx.outbound_anomaly_score_level}" "phase:4,log,auditlog,status:403,chain,id:981200,t:none,deny,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}'"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "ge" with param "%{tx.outbound_anomaly_score_level}" against TX:outbound_anomaly_score.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.outbound_anomaly_score_level} to: 4
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 17 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Output filter: Output forwarding complete.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Sending input brigade directly.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Initialising logging.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase LOGGING.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 32 rule(s).
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b28638; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "82"] [id "981227"] [rev "1"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b28638: SecRule "WEBSERVER_ERROR_LOG" "@contains Invalid URI in request" "phase:5,log,auditlog,status:403,msg:'Apache Error: Invalid URI in Request.',severity:4,id:981227,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,logdata:%{request_line},pass,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2281070; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "22"] [id "981201"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2281070: SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1" "phase:5,auditlog,status:403,chain,id:981201,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2285330; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "29"] [id "981202"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2285330: SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1" "phase:5,auditlog,status:403,chain,id:981202,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 228b928; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 228b928: SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" "phase:5,status:403,chain,id:981203,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "gt" with param "0" against TX:inbound_anomaly_score.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 228b928 id="END_CORRELATION" -> mode SKIP_RULES.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 228cc30; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "34"].
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 228cc30: SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt %{tx.inbound_anomaly_score_level}"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "lt" with param "%{tx.inbound_anomaly_score_level}" against TX:inbound_anomaly_score.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3"
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.inbound_anomaly_score_level} to: 5
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 50 usec.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{TX.INBOUND_ANOMALY_SCORE} to: 3
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{TX.SQL_INJECTION_SCORE} to: 0
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{TX.XSS_SCORE} to: 0
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.inbound_tx_msg} to: Common SPAM/Email Harvester crawler
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][2] Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Common SPAM/Email Harvester crawler"]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981204" [chained 0] is trying to find the SecMarker="END_CORRELATION" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981205" [chained 0] is trying to find the SecMarker="END_CORRELATION" [stater 0]
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 22916f0 id="END_CORRELATION".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_CORRELATION".
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recording persistent data took 0 microseconds.
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Audit log: Ignoring a non-relevant request.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment