Created
March 20, 2014 16:54
-
-
Save code1955/9668518 to your computer and use it in GitHub Desktop.
Post body inspection does not work
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Initialising transaction (txid UynEl6wQGYEAADhVCKwAAACR). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Adding request cookie: name "ACE_COOKIE", value "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transaction context created (dcfg 19a4f98). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase REQUEST_HEADERS. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 60 rule(s). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ade6f0; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "24"] [id "200000"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ade6f0: SecRule "REQUEST_HEADERS:Content-Type" "@rx text/xml" "phase:1,auditlog,id:200000,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "application/json; charset=utf-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 18 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "text/xml" against REQUEST_HEADERS:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=utf-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1af28b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "98"] [id "900001"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1af28b8: SecAction "phase:1,auditlog,status:403,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.critical_anomaly_score=5 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.critical_anomaly_score" to "5". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.error_anomaly_score=4 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.error_anomaly_score" to "4". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.warning_anomaly_score=3 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.warning_anomaly_score" to "3". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.notice_anomaly_score=2 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.notice_anomaly_score" to "2". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "98"] [id "900001"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1af3c58; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "129"] [id "900002"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1af3c58: SecAction "phase:1,auditlog,status:403,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.anomaly_score=0 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.anomaly_score" to "0". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.sql_injection_score=0 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.sql_injection_score" to "0". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.xss_score=0 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.xss_score" to "0". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_anomaly_score=0 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_anomaly_score" to "0". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.outbound_anomaly_score=0 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.outbound_anomaly_score" to "0". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "129"] [id "900002"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1af7320; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "139"] [id "900003"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1af7320: SecAction "phase:1,auditlog,status:403,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_anomaly_score_level=5 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_anomaly_score_level" to "5". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.outbound_anomaly_score_level=4 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.outbound_anomaly_score_level" to "4". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "139"] [id "900003"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b00498; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "217"] [id "900006"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b00498: SecAction "phase:1,auditlog,status:403,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.max_num_args=255 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.max_num_args" to "255". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "217"] [id "900006"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b01160; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "285"] [id "900012"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b01160: SecAction "phase:1,auditlog,status:403,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.allowed_methods=GET HEAD POST OPTIONS | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.allowed_methods" to "GET HEAD POST OPTIONS". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.allowed_request_content_type" to "application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.allowed_http_versions" to "HTTP/0.9 HTTP/1.0 HTTP/1.1". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.restricted_extensions" to ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.restricted_headers" to "/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "285"] [id "900012"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b075a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "335"] [id "900014"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b075a0: SecAction "phase:1,auditlog,status:403,id:900014,t:none,setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#',setvar:tx.brute_force_burst_time_slice=60,setvar:tx.brute_force_counter_threshold=10,setvar:tx.brute_force_block_timeout=300,nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php# | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.brute_force_protected_urls" to "#/login.jsp# #/partner_login.php#". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.brute_force_burst_time_slice=60 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.brute_force_burst_time_slice" to "60". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.brute_force_counter_threshold=10 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.brute_force_counter_threshold" to "10". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.brute_force_block_timeout=300 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.brute_force_block_timeout" to "300". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "335"] [id "900014"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b0cdd0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "355"] [id "900015"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b0cdd0: SecAction "phase:1,auditlog,status:403,id:900015,t:none,setvar:tx.dos_burst_time_slice=60,setvar:tx.dos_counter_threshold=100,setvar:tx.dos_block_timeout=600,nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.dos_burst_time_slice=60 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.dos_burst_time_slice" to "60". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.dos_counter_threshold=100 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.dos_counter_threshold" to "100". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.dos_block_timeout=600 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.dos_block_timeout" to "600". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "355"] [id "900015"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b0ddf8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "387"] [id "900017"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b0ddf8: SecRule "REQUEST_HEADERS:Content-Type" "@rx text/xml" "phase:1,auditlog,status:403,id:900017,t:none,t:lowercase,nolog,pass,chain" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "application/json; charset=utf-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "text/xml" against REQUEST_HEADERS:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=utf-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b11080; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "405"] [id "900018"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b11080: SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,auditlog,status:403,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) sha1: "\x8f\xda\x9f\x02\x9d\xd3\xcc\xfdV\xfeF\xb5\x82\x1ay\xf1\xdf\xe3\xe2m" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) hexEncode: "8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 29 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 19 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.ua_hash=%{matched_var} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{matched_var} to: 8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.ua_hash" to "8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Pattern match "^(.*)$" at REQUEST_HEADERS:User-Agent. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "405"] [id "900018"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b11ed0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "415"] [id "900019"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b11ed0: SecRule "REQUEST_HEADERS:x-forwarded-for" "@rx ^\\b(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\b" "phase:1,auditlog,status:403,id:900019,t:none,capture,setvar:tx.real_ip=%{tx.1},nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b14f28; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "425"] [id "900020"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b14f28: SecRule "&TX:REAL_IP" "!@eq 0" "phase:1,auditlog,status:403,id:900020,t:none,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash},nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against &TX:REAL_IP. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b15dc0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "436"] [id "900021"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b15dc0: SecRule "&TX:REAL_IP" "@eq 0" "phase:1,auditlog,status:403,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &TX:REAL_IP. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name "global", filename "/opt/apache/xxx.yyy-europe.com/modsecdata//global") | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Creating collection (name "global", key "global"). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Setting default timeout collection value 3600. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Recorded original collection variable: global.UPDATE_COUNTER = "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Added collection "global" to the list. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{remote_addr} to: 10.101.161.59 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.ua_hash} to: 8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name "ip", filename "/opt/apache/xxx.yyy-europe.com/modsecdata//ip") | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "__expire_KEY", value "1395248468". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "KEY", value "10.101.161.59_8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "TIMEOUT", value "3600". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "__key", value "10.101.161.59_8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "__name", value "ip". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "CREATE_TIME", value "1395244868". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "UPDATE_COUNTER", value "1". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "previous_rbl_check", value "1". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "__expire_previous_rbl_check", value "1395331268". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] collection_unpack: Read variable: name "LAST_UPDATE_TIME", value "1395244868". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] collection_retrieve_ex: Retrieved collection (name "ip", key "10.101.161.59_8fda9f029dd3ccfd56fe46b5821a79f1dfe3e26d"). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Recorded original collection variable: ip.UPDATE_COUNTER = "1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Added collection "ip" to the list. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.real_ip=%{remote_addr} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{remote_addr} to: 10.101.161.59 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.real_ip" to "10.101.161.59". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Operator EQ matched 0 at TX. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_10_setup.conf"] [line "436"] [id "900021"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b19040; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b19040: SecRule "REQUEST_LINE" "!@rx ^(?i:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" "phase:1,log,auditlog,status:403,msg:'Invalid HTTP Request Line',severity:4,id:960911,ver:OWASP_CRS/2.2.9,rev:2,maturity:9,accuracy:9,logdata:%{request_line},block,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^(?i:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" against REQUEST_LINE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST /scan/info/authenticate/login/ HTTP/1.1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 19 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b46e60; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "248"] [id "960016"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b46e60: SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^\\d+$" "phase:1,log,auditlog,status:403,msg:'Content-Length HTTP header is not numeric.',severity:2,id:960016,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^\\d+$" against REQUEST_HEADERS:Content-Length. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "51" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b4fb48; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "280"] [id "960011"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b4fb48: SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:1,log,auditlog,status:403,msg:'GET or HEAD Request with Body Content.',severity:2,id:960011,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(?:GET|HEAD)$" against REQUEST_METHOD. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b54c58; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "312"] [id "960012"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b54c58: SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,log,auditlog,status:403,msg:'POST request missing Content-Length Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^POST$" against REQUEST_METHOD. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b5edb0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "317"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b5edb0: SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:Content-Length. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b57f38; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "349"] [id "960902"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b57f38: SecRule "REQUEST_HEADERS:Content-Encoding" "@rx ^Identity$" "phase:1,log,auditlog,status:403,msg:'Invalid Use of Identity Encoding.',severity:4,id:960902,ver:OWASP_CRS/2.2.9,rev:2,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b62ea8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "378"] [id "960022"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b62ea8: SecRule "REQUEST_HEADERS:Expect" "@contains 100-continue" "phase:1,log,auditlog,status:403,msg:'Expect Header Not Allowed for HTTP 1.0.',severity:5,id:960022,ver:OWASP_CRS/2.2.9,rev:2,maturity:7,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c80b18; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "84"] [id "960904"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c80b18: SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:1,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cd13b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "42"] [id "960342"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cd13b8: SecRule "&TX:MAX_FILE_SIZE" "@eq 1" "phase:1,log,auditlog,status:403,chain,t:none,block,msg:'Uploaded file size too large',id:960342,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:MAX_FILE_SIZE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ce32f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ce32f0: SecRule "REQUEST_METHOD" "!@within %{tx.allowed_methods}" "phase:1,log,auditlog,status:403,t:none,block,msg:'Method is not allowed by policy',logdata:%{matched_var},severity:2,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960032,tag:OWASP_CRS/POLICY/METHOD_NOT_ALLOWED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:OWASP_AppSensor/RE1,tag:PCI/12.1,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!within" with param "%{tx.allowed_methods}" against REQUEST_METHOD. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.allowed_methods} to: GET HEAD POST OPTIONS | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ceabb0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ceabb0: SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,log,auditlog,status:403,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^(?:GET|HEAD|PROPFIND|OPTIONS)$" against REQUEST_METHOD. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ce9130; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "65"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ce9130: SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^([^;\\s]+)" against REQUEST_HEADERS:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=UTF-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: application/json | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: application/json | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 35 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ce98f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "66"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ce98f0: SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^%{tx.allowed_request_content_type}$" against TX:0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.allowed_request_content_type} to: application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Escaping pattern [^application\/x-www-form-urlencoded|multipart\/form-data|text\/xml|application\/xml|application\/x-amf|application\/json$] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 71 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dfbee0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "119"] [id "950012"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dfbee0: SecRule "REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/'" "@rx ," "phase:1,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,block,msg:'HTTP Request Smuggling Attack.',id:950012,tag:OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING,tag:WASCTC/WASC-26,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "," against REQUEST_HEADERS:Content-Length. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "51" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 21efa80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "20"] [id "981137"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 21efa80: SecRule "IP:PREVIOUS_RBL_CHECK" "@eq 1" "phase:1,auditlog,status:403,id:981137,t:none,nolog,skipAfter:END_RBL_LOOKUP" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against IP:previous_rbl_check. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Operator EQ matched 1 at IP:previous_rbl_check. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "20"] [id "981137"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 21efa80 id="END_RBL_LOOKUP" -> mode SKIP_RULES. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981138" [chained 0] is trying to find the SecMarker="END_RBL_LOOKUP" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981139" [chained 0] is trying to find the SecMarker="END_RBL_LOOKUP" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 21f7508 id="END_RBL_LOOKUP". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_RBL_LOOKUP". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 21f7aa0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "26"] [id "981140"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 21f7aa0: SecRule "IP:SPAMMER" "@eq 1" "phase:1,status:403,id:981140,t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:AUTOMATION/MALICIOUS,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Second phase starting (dcfg 19a4f98). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Reading request body. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Input filter: Bucket type HEAP contains 51 bytes. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Input filter: Bucket type EOS contains 0 bytes. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Request body no files length: 0 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Completed receiving request body (length 51). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase REQUEST_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 309 rule(s). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1adf5f0; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "55"] [id "200001"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1adf5f0: SecRule "REQBODY_ERROR" "!@eq 0" "phase:2,auditlog,id:200001,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:%{reqbody_error_msg},severity:2" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against REQBODY_ERROR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1aea858; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "76"] [id "200002"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1aea858: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,auditlog,id:200002,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_MISSING_SEMICOLON}, IQ %{MULTIPART_INVALID_QUOTING}, IP %{MULTIPART_INVALID_PART}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1aee8c8; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "81"] [id "200003"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1aee8c8: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,auditlog,id:200003,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1aef548; [file "/opt/apache/common_modsecurity/modsecconf/modsecurity-recommended.conf"] [line "95"] [id "200004"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1aef548: SecRule "TX:/^MSC_/" "!@streq 0" "phase:2,log,auditlog,id:200004,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b29518; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "118"] [id "960000"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b29518: SecRule "FILES_NAMES|FILES" "@rx ['\";=]" "phase:2,log,auditlog,status:403,msg:'Attempted multipart/form-data bypass',severity:2,id:960000,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:7,logdata:%{matched_var},block,t:none,t:urlDecodeUni,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b2a5a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "151"] [id "960912"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b2a5a8: SecRule "REQBODY_ERROR" "!@eq 0" "phase:2,log,auditlog,status:403,msg:'Failed to parse request body.',severity:2,id:960912,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,logdata:%{REQBODY_ERROR_MSG},block,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against REQBODY_ERROR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b35820; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "192"] [id "960914"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b35820: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,log,auditlog,status:403,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}',severity:2,id:960914,ver:OWASP_CRS/2.2.9,rev:1,maturity:8,accuracy:7,block,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b43ef0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "219"] [id "960915"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b43ef0: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,log,auditlog,status:403,msg:'Multipart parser detected a possible unmatched boundary.',severity:2,id:960915,ver:OWASP_CRS/2.2.9,rev:1,maturity:8,accuracy:8,block,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b67fb8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b67fb8: SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:960020,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &REQUEST_HEADERS:Pragma. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b81f50; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b81f50: SecRule "REQUEST_HEADERS:Range" "@beginsWith bytes=0-" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Range: field exists and begins with 0.',logdata:%{matched_var},severity:4,id:958291,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b8c980; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "430"] [id "958230"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b8c980: SecRule "REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range" "@rx (\\d+)\\-(\\d+)\\," "phase:2,log,auditlog,status:403,chain,capture,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Range: Invalid Last Byte Value.',logdata:%{matched_var},severity:4,id:958230,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bd5c78; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "433"] [id "958231"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bd5c78: SecRule "REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range" "@rx ^bytes=(\\d+)?\\-(\\d+)?\\,\\s?(\\d+)?\\-(\\d+)?\\,\\s?(\\d+)?\\-(\\d+)?\\,\\s?(\\d+)?\\-(\\d+)?\\,\\s?(\\d+)?\\-(\\d+)?\\," "phase:2,log,auditlog,status:403,capture,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Range: Too many fields',logdata:%{matched_var},severity:4,id:958231,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1be2008; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "447"] [id "958295"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1be2008: SecRule "REQUEST_HEADERS:Connection" "@rx \\b(keep-alive|close),\\s?(keep-alive|close)\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',logdata:%{matched_var},id:958295,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(keep-alive|close),\\s?(keep-alive|close)\\b" against REQUEST_HEADERS:Connection. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Keep-Alive" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 15 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1beafb0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "461"] [id "950107"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1beafb0: SecRule "REQUEST_URI" "@rx \\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:950107,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" against REQUEST_URI. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1be56a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "465"] [id "950109"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1be56a8: SecRule "ARGS" "@rx \\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'Multiple URL Encoding Detected',id:950109,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bf2050; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "468"] [id "950108"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bf2050: SecRule "REQUEST_HEADERS:Content-Type" "@rx ^(application\\/x-www-form-urlencoded|text\\/xml)(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:950108,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(application\\/x-www-form-urlencoded|text\\/xml)(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$" against REQUEST_HEADERS:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=UTF-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bf9678; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "482"] [id "950801"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bf9678: SecRule "TX:CRS_VALIDATE_UTF8_ENCODING" "@eq 1" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:950801,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bfe258; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "497"] [id "950116"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bfe258: SecRule "REQUEST_URI|REQUEST_BODY" "@rx \\%u[fF]{2}[0-9a-fA-F]{2}" "phase:2,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:950116,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\%u[fF]{2}[0-9a-fA-F]{2}" against REQUEST_URI. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c04498; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "534"] [id "960901"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c04498: SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer" "@validateByteRange 1-255" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,block,msg:'Invalid character in request',id:960901,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:3,t:none,t:urlDecodeUni,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer" to "REQUEST_HEADERS:x-requested-with|REQUEST_HEADERS:Accept-Language|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Accept-Encoding|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Content-Length|REQUEST_HEADERS:Connection|REQUEST_HEADERS:Cache-Control|REQUEST_HEADERS:Cookie". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "XMLHttpRequest" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:x-requested-with. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "XMLHttpRequest" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "en-gb" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Accept-Language. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "en-gb" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "application/json, text/javascript, */*; q=0.01" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Accept. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json, text/javascript, */*; q=0.01" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "application/json; charset=UTF-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=UTF-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "gzip, deflate" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Accept-Encoding. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "gzip, deflate" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 26 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "xxx.yyy.com" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Host. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "xxx.yyy.com" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "51" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Content-Length. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "51" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "Keep-Alive" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Connection. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Keep-Alive" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "no-cache" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Cache-Control. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "no-cache" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE=R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "validateByteRange" with param "1-255" against REQUEST_HEADERS:Cookie. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE=R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c0b100; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "536"] [id "960018"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c0b100: SecRule "TX:PARANOID_MODE" "@eq 1" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:7,block,msg:'Invalid character in request',id:960018,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:3,t:none,t:urlDecodeUni" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c0e9b0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "29"] [id "960008"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c0e9b0: SecRule "&REQUEST_HEADERS:Host" "@eq 0" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Missing a Host Header',id:960008,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:Host. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c0f780; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "31"] [id "960007"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c0f780: SecRule "REQUEST_HEADERS:Host" "@rx ^$" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Empty Host Header',id:960007,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST,severity:4,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^$" against REQUEST_HEADERS:Host. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "xxx.yyy.com" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c1aa98; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c1aa98: SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,auditlog,status:403,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Missing an Accept Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^OPTIONS$" against REQUEST_METHOD. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 1c1aa98 id="END_ACCEPT_CHECK" -> mode SKIP_RULES. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c1ed10; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c1ed10: SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:Accept. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c1fd00; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "50"] [id "960021"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c1fd00: SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,auditlog,status:403,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Has an Empty Accept Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!rx" with param "^OPTIONS$" against REQUEST_METHOD. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c255c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "51"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c255c8: SecRule "REQUEST_HEADERS:Accept" "@rx ^$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^$" against REQUEST_HEADERS:Accept. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json, text/javascript, */*; q=0.01" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c2b0e8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c2b0e8: SecRule "&REQUEST_HEADERS:User-Agent" "@eq 0" "phase:2,log,auditlog,status:403,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Missing a User Agent Header',id:960009,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:5,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c30188; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "68"] [id "960006"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c30188: SecRule "REQUEST_HEADERS:User-Agent" "@rx ^$" "phase:2,log,auditlog,status:403,t:none,block,msg:'Empty User Agent Header',id:960006,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA,severity:5,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^$" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ca5998; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ca5998: SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d.:]+$" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Host header is a numeric IP address',logdata:%{matched_var},severity:4,id:960017,tag:OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^[\\d.:]+$" against REQUEST_HEADERS:Host. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "xxx.yyy.com" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cb1b40; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "23"] [id "960209"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cb1b40: SecRule "&TX:ARG_NAME_LENGTH" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Argument name too long',id:960209,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:ARG_NAME_LENGTH. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cb7b48; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "27"] [id "960208"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cb7b48: SecRule "&TX:ARG_LENGTH" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Argument value too long',id:960208,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:ARG_LENGTH. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cc6060; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "31"] [id "960335"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cc6060: SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Too many arguments in request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:MAX_NUM_ARGS. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cc98c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "32"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cc98c8: SecRule "&ARGS" "@gt %{tx.max_num_args}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "gt" with param "%{tx.max_num_args}" against &ARGS. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.max_num_args} to: 255 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cca7c0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "35"] [id "960341"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cca7c0: SecRule "&TX:TOTAL_ARG_LENGTH" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Total arguments size exceeded',id:960341,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:TOTAL_ARG_LENGTH. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cd8628; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "47"] [id "960343"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cd8628: SecRule "&TX:COMBINED_FILE_SIZES" "@eq 1" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'Total uploaded files size too large',id:960343,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "1" against &TX:COMBINED_FILE_SIZES. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cf6f10; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cf6f10: SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}" "phase:2,log,auditlog,status:403,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:2,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960034,tag:OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!within" with param "%{tx.allowed_http_versions}" against REQUEST_PROTOCOL. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "HTTP/1.1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.allowed_http_versions} to: HTTP/0.9 HTTP/1.0 HTTP/1.1 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 24 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1cfa440; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "88"] [id "960035"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1cfa440: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" "phase:2,log,auditlog,status:403,chain,capture,setvar:tx.extension=.%{tx.1}/,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:2,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960035,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,logdata:%{TX.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\.(.*)$" against REQUEST_BASENAME. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d02738; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "100"] [id "960038"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d02738: SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,auditlog,status:403,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_HEADERS_NAMES" to "REQUEST_HEADERS_NAMES:x-requested-with|REQUEST_HEADERS_NAMES:Accept-Language|REQUEST_HEADERS_NAMES:Referer|REQUEST_HEADERS_NAMES:Accept|REQUEST_HEADERS_NAMES:Content-Type|REQUEST_HEADERS_NAMES:Accept-Encoding|REQUEST_HEADERS_NAMES:User-Agent|REQUEST_HEADERS_NAMES:Host|REQUEST_HEADERS_NAMES:Content-Length|REQUEST_HEADERS_NAMES:Connection|REQUEST_HEADERS_NAMES:Cache-Control|REQUEST_HEADERS_NAMES:Cookie". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:x-requested-with. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "x-requested-with" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: x-requested-with | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: x-requested-with | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 91 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: x-requested-with | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/x-requested-with/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Accept-Language. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Accept-Language" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Accept-Language | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Accept-Language | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Accept-Language | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Accept-Language/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Referer. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Referer" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Referer | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Referer | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 28 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Referer | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Referer/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Accept. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Accept" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Accept | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Accept | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 25 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Accept | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Accept/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Content-Type" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Content-Type | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Content-Type | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 27 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Content-Type | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Content-Type/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Accept-Encoding. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Accept-Encoding" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Accept-Encoding | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Accept-Encoding | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 28 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Accept-Encoding | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Accept-Encoding/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "User-Agent" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: User-Agent | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: User-Agent | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 25 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: User-Agent | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/User-Agent/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Host. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Host" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Host | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Host | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 24 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Host | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Host/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Content-Length. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Content-Length" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Content-Length | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Content-Length | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 28 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Content-Length | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Content-Length/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Connection. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Connection" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Connection | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Connection | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 27 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Connection | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Connection/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Cache-Control. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Cache-Control" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Cache-Control | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Cache-Control | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 33 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Cache-Control | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Cache-Control/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(.*)$" against REQUEST_HEADERS_NAMES:Cookie. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.0: Cookie | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Added regex subexpression to TX.1: Cookie | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 33 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.header_name=/%{tx.0}/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.0} to: Cookie | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.header_name" to "/Cookie/". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d0e218; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "101"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d0e218: SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "within" with param "%{tx.restricted_headers}" against TX:header_name. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/Cookie/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.restricted_headers} to: /Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 19 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d0b428; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "20"] [id "990002"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d0b428: SecRule "REQUEST_HEADERS:User-Agent" "@pmFromFile modsecurity_35_scanners.data" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:%{matched_var},id:990002,tag:OWASP_CRS/AUTOMATION/SECURITY_SCANNER,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 18 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_35_scanners.data" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d33340; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "22"] [id "990901"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d33340: SecRule "REQUEST_HEADERS_NAMES" "@rx \\bacunetix-product\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:%{matched_var},id:990901,tag:OWASP_CRS/AUTOMATION/SECURITY_SCANNER,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_HEADERS_NAMES" to "REQUEST_HEADERS_NAMES:x-requested-with|REQUEST_HEADERS_NAMES:Accept-Language|REQUEST_HEADERS_NAMES:Referer|REQUEST_HEADERS_NAMES:Accept|REQUEST_HEADERS_NAMES:Content-Type|REQUEST_HEADERS_NAMES:Accept-Encoding|REQUEST_HEADERS_NAMES:User-Agent|REQUEST_HEADERS_NAMES:Host|REQUEST_HEADERS_NAMES:Content-Length|REQUEST_HEADERS_NAMES:Connection|REQUEST_HEADERS_NAMES:Cache-Control|REQUEST_HEADERS_NAMES:Cookie". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "x-requested-with" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:x-requested-with. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "x-requested-with" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept-language" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 14 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Accept-Language. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept-language" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "referer" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Referer. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "referer" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Accept. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "content-type" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "content-type" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept-encoding" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Accept-Encoding. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept-encoding" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "user-agent" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "user-agent" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "host" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Host. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "host" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "content-length" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Content-Length. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "content-length" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "connection" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Connection. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "connection" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "cache-control" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Cache-Control. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "cache-control" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bacunetix-product\\b" against REQUEST_HEADERS_NAMES:Cookie. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d36ad8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "24"] [id "990902"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d36ad8: SecRule "REQUEST_FILENAME" "@pm nessustest appscan_fingerprint" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:%{matched_var},id:990902,tag:OWASP_CRS/AUTOMATION/SECURITY_SCANNER,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "nessustest appscan_fingerprint" against REQUEST_FILENAME. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d3e318; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d3e318: SecRule "REQUEST_HEADERS:User-Agent" "@pmFromFile modsecurity_35_bad_robots.data" "phase:2,log,auditlog,status:403,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Rogue web site crawler',id:990012,tag:OWASP_CRS/AUTOMATION/MALICIOUS,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:4,capture,logdata:%{TX.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_35_bad_robots.data" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 32 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dbea28; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "25"] [id "950907"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dbea28: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:normalisePath,ctl:auditLogParts=+E,msg:'System Command Injection',id:950907,tag:OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION,tag:WASCTC/WASC-31,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) normalisePath: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) normalisePath: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\"\\|\\;\\`\\-\\s]|$))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dc9238; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dc9238: SecRule "ARGS" "@rx \\W{4,}" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,id:960024,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dc76a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "51"] [id "950008"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dc76a0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,msg:'Injection of Undocumented ColdFusion Tags',id:950008,tag:OWASP_CRS/WEB_ATTACK/CF_INJECTION,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\\b" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\\b" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dda308; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "65"] [id "950010"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dda308: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?:\\((?:\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\b\\W*?=|[^\\w\\x80-\\xFF]*?[\\!\\&\\|][^\\w\\x80-\\xFF]*?\\()|\\)[^\\w\\x80-\\xFF]*?\\([^\\w\\x80-\\xFF]*?[\\!\\&\\|])" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,msg:'LDAP Injection Attack',id:950010,tag:OWASP_CRS/WEB_ATTACK/LDAP_INJECTION,tag:WASCTC/WASC-29,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\((?:\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\b\\W*?=|[^\\w\\x80-\\xFF]*?[\\!\\&\\|][^\\w\\x80-\\xFF]*?\\()|\\)[^\\w\\x80-\\xFF]*?\\([^\\w\\x80-\\xFF]*?[\\!\\&\\|])" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\((?:\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\b\\W*?=|[^\\w\\x80-\\xFF]*?[\\!\\&\\|][^\\w\\x80-\\xFF]*?\\()|\\)[^\\w\\x80-\\xFF]*?\\([^\\w\\x80-\\xFF]*?[\\!\\&\\|])" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1de2220; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "79"] [id "950011"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1de2220: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <!--\\W*?#\\W*?(?:e(?:cho|xec)|printenv|include|cmd)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,msg:'SSI injection Attack',id:950011,tag:OWASP_CRS/WEB_ATTACK/SSI_INJECTION,tag:WASCTC/WASC-36,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_SSI_INJECTION" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!--\\W*?#\\W*?(?:e(?:cho|xec)|printenv|include|cmd)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 36 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!--\\W*?#\\W*?(?:e(?:cho|xec)|printenv|include|cmd)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 154 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dead10; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "93"] [id "950018"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dead10: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx http:\\/\\/[\\w\\.]+?\\/.*?\\.pdf\\b[^\\x0d\\x0a]*#" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Universal PDF XSS URL Detected.',id:950018,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "http:\\/\\/[\\w\\.]+?\\/.*?\\.pdf\\b[^\\x0d\\x0a]*#" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 28 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "http:\\/\\/[\\w\\.]+?\\/.*?\\.pdf\\b[^\\x0d\\x0a]*#" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1df00c0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "103"] [id "950019"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1df00c0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx [\\n\\r]\\s*\\b(?:to|b?cc)\\b\\s*:.*?\\@" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Email Injection Attack',id:950019,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[\\n\\r]\\s*\\b(?:to|b?cc)\\b\\s*:.*?\\@" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[\\n\\r]\\s*\\b(?:to|b?cc)\\b\\s*:.*?\\@" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dff538; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "134"] [id "950910"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dff538: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx [\\n\\r](?:content-(type|length)|set-cookie|location):" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:950910,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 43 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[\\n\\r](?:content-(type|length)|set-cookie|location):" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[\\n\\r](?:content-(type|length)|set-cookie|location):" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e05468; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "136"] [id "950911"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e05468: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:950911,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 25 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e0cdf8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "154"] [id "950117"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e0cdf8: SecRule "ARGS" "@rx ^(?i)(?:ht|f)tps?:\\/\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:950117,severity:2,tag:OWASP_CRS/WEB_ATTACK/RFI,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e0bf50; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "157"] [id "950118"] [rev "3"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e0bf50: SecRule "QUERY_STRING|REQUEST_BODY" "@rx (?i:(\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(ht|f)tps?:\\/\\/)" "phase:2,log,auditlog,status:403,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:950118,severity:2,tag:OWASP_CRS/WEB_ATTACK/RFI,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e18568; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "160"] [id "950119"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e18568: SecRule "ARGS" "@rx ^(?i)(?:ft|htt)ps?(.*?)\\?+$" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:950119,severity:2,tag:OWASP_CRS/WEB_ATTACK/RFI,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e155f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "163"] [id "950120"] [rev "3"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e155f0: SecRule "ARGS" "@rx ^(?:ht|f)tps?://(.*)$" "phase:2,log,auditlog,status:403,chain,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:950120,severity:2,tag:OWASP_CRS/WEB_ATTACK/RFI" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e1eee0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "170"] [id "981133"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e1eee0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,auditlog,status:403,id:981133,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_40_generic_attacks.data" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 29 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_40_generic_attacks.data" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 9 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1efc9d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "172"] [id "981134"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1efc9d8: SecRule "TX:PM_SCORE" "@eq 0" "phase:2,auditlog,status:403,id:981134,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,skipAfter:END_PM_CHECK,nolog" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1efdab8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "184"] [id "950009"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1efdab8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i)(?:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation Attack',id:950009,tag:OWASP_CRS/WEB_ATTACK/SESSION_FIXATION,tag:WASCTC/WASC-37,tag:OWASP_TOP_10/A3,tag:PCI/6.5.7,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 31 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f060b0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "188"] [id "950003"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f060b0: SecRule "ARGS_NAMES" "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" "phase:2,log,auditlog,status:403,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:7,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:950003,tag:OWASP_CRS/WEB_ATTACK/SESSION_FIXATION,tag:WASCTC/WASC-37,tag:OWASP_TOP_10/A3,tag:PCI/6.5.7,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f1d1a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "194"] [id "950000"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f1d1a0: SecRule "ARGS_NAMES" "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" "phase:2,log,auditlog,status:403,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:7,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:950000,tag:OWASP_CRS/WEB_ATTACK/SESSION_FIXATION,tag:WASCTC/WASC-37,tag:OWASP_TOP_10/A3,tag:PCI/6.5.7,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f2dcc0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "205"] [id "950005"] [rev "3"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f2dcc0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" "phase:2,log,auditlog,status:403,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'Remote File Access Attempt',id:950005,tag:OWASP_CRS/WEB_ATTACK/FILE_INJECTION,tag:WASCTC/WASC-33,tag:OWASP_TOP_10/A4,tag:PCI/6.5.4,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 14 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f3ad80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "213"] [id "950002"] [rev "3"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f3ad80: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\.exe\\b|cmd(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c))" "phase:2,log,auditlog,status:403,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'System Command Access',id:950002,tag:OWASP_CRS/WEB_ATTACK/FILE_INJECTION,tag:WASCTC/WASC-31,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\.exe\\b|cmd(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\.exe\\b|cmd(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f418b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "221"] [id "950006"] [rev "3"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f418b8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))" "phase:2,log,auditlog,status:403,rev:3,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:950006,tag:OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION,tag:WASCTC/WASC-31,tag:OWASP_TOP_10/A1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.% | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cmdline: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f4b830; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "230"] [id "959151"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f4b830: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <\\?(?!xml)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:959151,severity:2,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:PCI/6.5.2,tag:WASCTC/WASC-25,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE4,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 31 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<\\?(?!xml)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 247 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<\\?(?!xml)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f59140; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "233"] [id "958976"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f59140: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:958976,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:PCI/6.5.2,tag:WASCTC/WASC-25,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE4,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f62970; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "236"] [id "958977"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f62970: SecRule "QUERY_STRING" "@pm allow_url_include= safe_mode= suhosin.simulation= disable_functions= open_basedir= auto_prepend_file= php://input" "phase:2,log,auditlog,status:403,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:9,t:none,t:urlDecodeUni,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:958977,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A6,tag:PCI/6.5.2,tag:WASCTC/WASC-25,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE4,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f78b90; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "48"] [id "981231"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f78b90: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:981231,t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:2,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 14 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 9 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f81c80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "54"] [id "981260"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f81c80: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" "phase:2,log,auditlog,status:403,id:981260,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,capture,t:none,t:urlDecodeUni,block,msg:'SQL Hex Encoding Identified',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f868d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "63"] [id "981318"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f868d8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:981318,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f8e1a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "69"] [id "981319"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f8e1a0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:981319,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 15 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f9b410; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "76"] [id "950901"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f9b410: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?!\\2)([\\d\\w]+)\\b))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: SQL Tautology Detected.',id:950901,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?!\\2)([\\d\\w]+)\\b))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) replaceComments: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?!\\2)([\\d\\w]+)\\b))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) replaceComments: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fa9e18; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "83"] [id "981320"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fa9e18: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\.\\.sysdatabases|ysql\\.db)|s(?:ys(?:\\.database_name|aux)|chema(?:\\W*\\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\\W*\\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:981320,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_A | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 99 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\.\\.sysdatabases|ysql\\.db)|s(?:ys(?:\\.database_name|aux)|chema(?:\\W*\\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\\W*\\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\.\\.sysdatabases|ysql\\.db)|s(?:ys(?:\\.database_name|aux)|chema(?:\\W*\\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\\W*\\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fb6088; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "90"] [id "981300"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fb6088: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,auditlog,status:403,id:981300,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "select show top distinct from dual where group by order having limit offset union rownum as (case" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "select show top distinct from dual where group by order having limit offset union rownum as (case" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fb3698; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "91"] [id "981301"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fb3698: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord select" "phase:2,auditlog,status:403,id:981301,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fc0968; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "92"] [id "981302"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fc0968: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord show" "phase:2,auditlog,status:403,id:981302,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fc1828; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "93"] [id "981303"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fc1828: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord top" "phase:2,auditlog,status:403,id:981303,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fc69a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "94"] [id "981304"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fc69a8: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord distinct" "phase:2,auditlog,status:403,id:981304,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fc7890; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "95"] [id "981305"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fc7890: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord from" "phase:2,auditlog,status:403,id:981305,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fcc960; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "96"] [id "981306"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fcc960: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord dual" "phase:2,auditlog,status:403,id:981306,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fcd820; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "97"] [id "981307"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fcd820: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord where" "phase:2,auditlog,status:403,id:981307,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fd0780; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "98"] [id "981308"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fd0780: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains group by" "phase:2,auditlog,status:403,id:981308,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fd1640; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "99"] [id "981309"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fd1640: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains order by" "phase:2,auditlog,status:403,id:981309,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fce500; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "100"] [id "981310"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fce500: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord having" "phase:2,auditlog,status:403,id:981310,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fcf3d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "101"] [id "981311"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fcf3d8: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord limit" "phase:2,auditlog,status:403,id:981311,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fd66f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "102"] [id "981312"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fd66f0: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord offset" "phase:2,auditlog,status:403,id:981312,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fd75c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "103"] [id "981313"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fd75c8: SecRule "TX:SQLI_SELECT_STATEMENT" "@containsWord union" "phase:2,auditlog,status:403,id:981313,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fdc560; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "104"] [id "981314"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fdc560: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains union all" "phase:2,auditlog,status:403,id:981314,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fdd428; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "105"] [id "981315"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fdd428: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains rownum as" "phase:2,auditlog,status:403,id:981315,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fde2f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "106"] [id "981316"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fde2f0: SecRule "TX:SQLI_SELECT_STATEMENT" "@contains (case" "phase:2,auditlog,status:403,id:981316,t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fe5508; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "107"] [id "981317"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fe5508: SecRule "TX:SQLI_SELECT_STATEMENT_COUNT" "@ge 3" "phase:2,log,auditlog,status:403,t:none,block,id:981317,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,msg:'SQL SELECT Statement Anomaly Detection Alert',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1febb20; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "115"] [id "950007"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1febb20: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\b(?:(?:s(?:ys\\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\\b.{0,40}\\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\\.(db|user))|c(?:onstraint_type|harindex)|waitfor\\b\\W*?\\bdelay|attnotnull)\\b|(?:locate|instr)\\W+\\()|\\@\\@spid\\b)|\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\\W+\\bchar|mb_users|rownum)\\b|t(?:able_name\\b|extpos\\W+\\()))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'Blind SQL Injection Attack',id:950007,tag:OWASP_CRS | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\b(?:(?:s(?:ys\\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\\b.{0,40}\\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\\.(db|user))|c(?:onstraint_type|harindex)|waitfor\\b\\W*?\\bdelay|attnotnull)\\b|(?:locate|instr)\\W+\\()|\\@\\@spid\\b)|\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\\W+\\bchar|mb_users|rownum)\\b|t(?:able_name\\b|extpos\\W+\\()))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\b(?:(?:s(?:ys\\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\\b.{0,40}\\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\\.(db|user))|c(?:onstraint_type|harindex)|waitfor\\b\\W*?\\bdelay|attnotnull)\\b|(?:locate|instr)\\W+\\()|\\@\\@spid\\b)|\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\\W+\\bchar|mb_users|rownum)\\b|t(?:able_name\\b|extpos\\W+\\()))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ff7800; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "124"] [id "950001"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ff7800: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtim | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|ti | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|ti | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2002a68; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "129"] [id "959070"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2002a68: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\b(?i:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?i:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:\\bcreate\\s+?table.{0,20}?\\()|(?i:\\blike\\W*?char\\W*?\\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?i:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:959070,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anoma | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(?i:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?i:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:\\bcreate\\s+?table.{0,20}?\\()|(?i:\\blike\\W*?char\\W*?\\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?i:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(?i:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?i:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:\\bcreate\\s+?table.{0,20}?\\()|(?i:\\blike\\W*?char\\W*?\\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?i:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2012af8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "132"] [id "959071"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2012af8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>])" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:959071,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>])" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>])" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 201a908; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "135"] [id "959072"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 201a908: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:959072,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2025878; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "139"] [id "950908"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2025878: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via" "@rx (?i:\\b(?:coalesce\\b|root\\@))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,id:950908,msg:'SQL Injection Attack.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\b(?:coalesce\\b|root\\@))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:\\b(?:coalesce\\b|root\\@))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 202e658; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "142"] [id "959073"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 202e658: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)| | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 19 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2037570; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "156"] [id "981172"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2037570: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES" "@rx ([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" "phase:2,log,auditlog,status:403,t:none,t:urlDecodeUni,block,id:981172,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 27 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2043900; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "158"] [id "981173"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2043900: SecRule "ARGS_NAMES|ARGS|XML:/*" "@rx ([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" "phase:2,log,auditlog,status:403,t:none,t:urlDecodeUni,block,id:981173,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:8,msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:tx.msg=%{rule.msg},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2041500; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "176"] [id "981272"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2041500: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(sleep\\((\\s*?)(\\d*?)(\\s*?)\\)|benchmark\\((.*?)\\,(.*?)\\)))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects blind sqli tests using sleep() or benchmark().',id:981272,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(sleep\\((\\s*?)(\\d*?)(\\s*?)\\)|benchmark\\((.*?)\\,(.*?)\\)))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(sleep\\((\\s*?)(\\d*?)(\\s*?)\\)|benchmark\\((.*?)\\,(.*?)\\)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2051328; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "204"] [id "981244"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2051328: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?i:\\d[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+\\d)|(?:^admin\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|(\\/\\*)+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]?=\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W*?[+=]+\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(].*?$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W+[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\xc | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 17 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?i:\\d[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+\\d)|(?:^admin\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|(\\/\\*)+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]?=\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W*?[+=]+\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(].*?$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W+[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][<>~]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" a | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 14 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?i:\\d[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+\\d)|(?:^admin\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|(\\/\\*)+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]?=\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W*?[+=]+\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(].*?$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W+[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][<>~]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" a | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 204bf88; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "206"] [id "981255"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 204bf88: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?!\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*?\\([^\\)]*?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];?\\s*?(?:select|union|having)\\s*?[^\\s])|(?:\\wiif\\s*?\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*?select)|(?:select.*?\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MSSQL code execution and information gathering attempts',id:981255,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?!\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*?\\([^\\)]*?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];?\\s*?(?:select|union|having)\\s*?[^\\s])|(?:\\wiif\\s*?\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*?select)|(?:select.*?\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 14 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 16 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?!\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*?\\([^\\)]*?)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];?\\s*?(?:select|union|having)\\s*?[^\\s])|(?:\\wiif\\s*?\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*?select)|(?:select.*?\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2060e38; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "208"] [id "981257"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2060e38: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:981257,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2067500; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "210"] [id "981248"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2067500: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98=()]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 1/2',id:981248,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98=()]))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 15 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98=()]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2070058; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "212"] [id "981277"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2070058: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.90738585072007e-308|1e309)$))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Looking for integer overflow attacks, these are taken from skipfish, except 2.2.90738585072007e-308 is the \"magic number\" crash',id:981277,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.90738585072007e-308|1e309)$))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.90738585072007e-308|1e309)$))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20720d0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "214"] [id "981250"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20720d0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*?\\(?\\s*?\\w+))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:981250,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*?\\(?\\s*?\\w+))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*?\\(?\\s*?\\w+))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 207c848; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "216"] [id "981241"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 207c848: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\\s()]case\\s*?\\()|(?:\\)\\s*?like\\s*?\\()|(?:having\\s*?[^\\s]+\\s*?[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*?[=<>~]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects conditional SQL injection attempts',id:981241,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\s()]case\\s*?\\()|(?:\\)\\s*?like\\s*?\\()|(?:having\\s*?[^\\s]+\\s*?[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*?[=<>~]))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\s()]case\\s*?\\()|(?:\\)\\s*?like\\s*?\\()|(?:having\\s*?[^\\s]+\\s*?[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*?[=<>~]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2080440; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "218"] [id "981252"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2080440: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:alter\\s*?\\w+.*?character\\s+set\\s+\\w+)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?waitfor\\s+time\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];.*?:\\s*?goto))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:981252,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:alter\\s*?\\w+.*?character\\s+set\\s+\\w+)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?waitfor\\s+time\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];.*?:\\s*?goto))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:alter\\s*?\\w+.*?character\\s+set\\s+\\w+)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?waitfor\\s+time\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];.*?:\\s*?goto))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 208a848; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "220"] [id "981256"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 208a848: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:merge.*?using\\s*?\\()|(execute\\s*?immediate\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),+-]+\\s*?against\\s*?\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:981256,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:merge.*?using\\s*?\\()|(execute\\s*?immediate\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),+-]+\\s*?against\\s*?\\())" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:merge.*?using\\s*?\\()|(execute\\s*?immediate\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),+-]+\\s*?against\\s*?\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2090d80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "222"] [id "981245"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2090d80: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*\\s*?\\w+\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^?\\w\\s=.,;)(]+\\s*?[(@\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]*?\\s*?\\w+\\W+\\w)|(?:select\\s+?[\\[\\]()\\s\\w\\.,\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+from\\s+)|(?:find_in_set\\s*?\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:981245,tag:OWAS | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*\\s*?\\w+\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^?\\w\\s=.,;)(]+\\s*?[(@\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]*?\\s*?\\w+\\W+\\w)|(?:select\\s+?[\\[\\]()\\s\\w\\.,\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+from\\s+)|(?:find_in_set\\s*?\\())" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*\\s*?\\w+\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^?\\w\\s=.,;)(]+\\s*?[(@\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]*?\\s*?\\w+\\W+\\w)|(?:select\\s+?[\\[\\]()\\s\\w\\.,\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+from\\s+)|(?:find_in_set\\s*?\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2095508; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "224"] [id "981276"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2095508: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:(union(.*?)select(.*?)from)))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',id:981276,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(union(.*?)select(.*?)from)))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 16 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:(union(.*?)select(.*?)from)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2096c80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "226"] [id "981254"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2096c80: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:select\\s*?pg_sleep)|(?:waitfor\\s*?delay\\s?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?\\d)|(?:;\\s*?shutdown\\s*?(?:;|--|#|\\/\\*|{)))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:981254,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:select\\s*?pg_sleep)|(?:waitfor\\s*?delay\\s?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?\\d)|(?:;\\s*?shutdown\\s*?(?:;|--|#|\\/\\*|{)))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:select\\s*?pg_sleep)|(?:waitfor\\s*?delay\\s?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?\\d)|(?:;\\s*?shutdown\\s*?(?:;|--|#|\\/\\*|{)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20a3240; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "228"] [id "981270"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20a3240: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Finds basic MongoDB SQL injection attempts',id:981270,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20aeef8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "230"] [id "981240"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20aeef8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:\\)\\s*?when\\s*?\\d+\\s*?then)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:#|--|{))|(?:\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*?\\(\\s*?\\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\\s+|\\|\\||\\&\\&)\\s*?\\w+\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:981240,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\)\\s*?when\\s*?\\d+\\s*?then)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:#|--|{))|(?:\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*?\\(\\s*?\\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\\s+|\\|\\||\\&\\&)\\s*?\\w+\\())" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:\\)\\s*?when\\s*?\\d+\\s*?then)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:#|--|{))|(?:\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*?\\(\\s*?\\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\\s+|\\|\\||\\&\\&)\\s*?\\w+\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20b2d50; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "232"] [id "981249"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20b2d50: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+and\\s*?=\\W)|(?:\\(\\s*?select\\s*?\\w+\\s*?\\()|(?:\\*\\/from)|(?:\\+\\s*?\\d+\\s*?\\+\\s*?@)|(?:\\w[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:[-+=|@]+\\s*?)+[\\d(])|(?:coalesce\\s*?\\(|@@\\w+\\s*?[^\\w\\s])|(?:\\W!+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?(?:if|while|begin))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]+=\\s*?\\d)|(?:order\\s+by\\s+if\\w*?\\s*?\\()|(?:[\\s(]+case\\d*?\\W.+[tw]hen[\\s(]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 2/2',id:981249,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:t | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+and\\s*?=\\W)|(?:\\(\\s*?select\\s*?\\w+\\s*?\\()|(?:\\*\\/from)|(?:\\+\\s*?\\d+\\s*?\\+\\s*?@)|(?:\\w[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:[-+=|@]+\\s*?)+[\\d(])|(?:coalesce\\s*?\\(|@@\\w+\\s*?[^\\w\\s])|(?:\\W!+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?(?:if|while|begin))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]+=\\s*?\\d)|(?:order\\s+by\\s+if\\w*?\\s*?\\()|(?:[\\s(]+case\\d*?\\W.+[tw]hen[\\s(]))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+and\\s*?=\\W)|(?:\\(\\s*?select\\s*?\\w+\\s*?\\()|(?:\\*\\/from)|(?:\\+\\s*?\\d+\\s*?\\+\\s*?@)|(?:\\w[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(?:[-+=|@]+\\s*?)+[\\d(])|(?:coalesce\\s*?\\(|@@\\w+\\s*?[^\\w\\s])|(?:\\W!+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98];\\s*?(?:if|while|begin))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]+=\\s*?\\d)|(?:order\\s+by\\s+if\\w*?\\s*?\\()|(?:[\\s(]+case\\d*?\\W.+[tw]hen[\\s(]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20b7690; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "234"] [id "981253"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20b7690: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:procedure\\s+analyse\\s*?\\()|(?:;\\s*?(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-)|(?:declare[^\\w]+[@#]\\s*?\\w+)|(exec\\s*?\\(\\s*?@))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:981253,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:procedure\\s+analyse\\s*?\\()|(?:;\\s*?(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-)|(?:declare[^\\w]+[@#]\\s*?\\w+)|(exec\\s*?\\(\\s*?@))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:procedure\\s+analyse\\s*?\\()|(?:;\\s*?(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-)|(?:declare[^\\w]+[@#]\\s*?\\w+)|(exec\\s*?\\(\\s*?@))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20c1fa0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "236"] [id "981242"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20c1fa0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))+\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\|\\||\\&\\&)\\s*?[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*?[|-]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\w)|(?:@\\w+\\s+(and|x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d]+)|(?:@[\\w-]+\\s(and|x?or|div|like|between|and)\\s*?[^\\w\\s])|(?:[^\\w\\s:]\\s*?\\d\\W+[^\\w\\s]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].)|(?:\\Winformation_schema|table_name\\W))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni, | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))+\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\|\\||\\&\\&)\\s*?[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*?[|-]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\w)|(?:@\\w+\\s+(and|x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d]+)|(?:@[\\w-]+\\s(and|x?or|div|like|between|and)\\s*?[^\\w\\s])|(?:[^\\w\\s:]\\s*?\\d\\W+[^\\w\\s]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].)|(?:\\Winformation_schema|table_name\\W))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 16 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\d\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))+\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\|\\||\\&\\&)\\s*?[\\w\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*?[|-]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\w)|(?:@\\w+\\s+(and|x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d]+)|(?:@[\\w-]+\\s(and|x?or|div|like|between|and)\\s*?[^\\w\\s])|(?:[^\\w\\s:]\\s*?\\d\\W+[^\\w\\s]\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].)|(?:\\Winformation_schema|table_name\\W))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20ca928; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "238"] [id "981246"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20ca928: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\\d]+x))|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\d\\s*?(?:--|#))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?\\d.+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\|?[\\w-]{3,}[^\\w\\s.,]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 3/3',id: | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\\d]+x))|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\d\\s*?(?:--|#))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?\\d.+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\|?[\\w-]{3,}[^\\w\\s.,]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\\d]+x))|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\d\\s*?(?:--|#))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?\\d.+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\w)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\|?[\\w-]{3,}[^\\w\\s.,]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20d13a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "240"] [id "981251"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20d13a0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?[\\[(]?\\w{2,}))" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:981251,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?[\\[(]?\\w{2,}))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?[\\[(]?\\w{2,}))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20d50a0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "242"] [id "981247"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20d50a0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*?\\);)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+regexp\\W)|(?:[\\s(]load_file\\s*?\\())" "phase:2,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,block,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:981247,tag:OWASP_CRS/WEB_ATTACK/SQL_INJECTION,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.id}-%{rule.msg},setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*?\\);)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+regexp\\W)|(?:[\\s(]load_file\\s*?\\())" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*?\\);)|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+regexp\\W)|(?:[\\s(]load_file\\s*?\\())" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20e19d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "244"] [id "981243"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20e19d8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]*?[^\\w\\s]+\\W*?\\d\\W*?.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s?]+\\s*?[^\\w\\s]+\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]+\\s*?[\\W\\d].*?(?:#|--))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?\\*\\s*?\\d)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s[^\\d]+[\\w-]+.*?\\d)|(?:[()\\*<>%+-][\\w-]+[^\\w\\s]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][^,]))" "phase:2,log,a | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]*?[^\\w\\s]+\\W*?\\d\\W*?.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s?]+\\s*?[^\\w\\s]+\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]+\\s*?[\\W\\d].*?(?:#|--))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?\\*\\s*?\\d)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s[^\\d]+[\\w-]+.*?\\d)|(?:[()\\*<>%+-][\\w-]+[^\\w\\s]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][^,]))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 59 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\\s\\d]*?[^\\w\\s]+\\W*?\\d\\W*?.*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\d])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s?]+\\s*?[^\\w\\s]+\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?[^\\w\\s]+\\s*?[\\W\\d].*?(?:#|--))|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?\\*\\s*?\\d)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s[^\\d]+[\\w-]+.*?\\d)|(?:[()\\*<>%+-][\\w-]+[^\\w\\s]+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][^,]))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20e4b00; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "14"] [id "973336"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20e4b00: SecRule "ARGS" "@rx (?i)(<script[^>]*>[\\s\\S]*?<\\/script[^>]*>|<script[^>]*>[\\s\\S]*?<\\/script[[\\s\\S]]*[\\s\\S]|<script[^>]*>[\\s\\S]*?<\\/script[\\s]*[\\s]|<script[^>]*>[\\s\\S]*?<\\/script|<script[^>]*>[\\s\\S]*?)" "phase:2,deny,auditlog,status:403,id:973336,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:8,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag Vector',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20f0628; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "21"] [id "973337"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20f0628: SecRule "ARGS" "@rx (?i)([\\s\"'`;\\/0-9\\=]+on\\w+\\s*=)" "phase:2,deny,auditlog,status:403,id:973337,t:none,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:8,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 2: Event Handler Vector',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20f7af8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "28"] [id "973338"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20f7af8: SecRule "ARGS" "@rx (?i)((?:=|U\\s*R\\s*L\\s*\\()\\s*[^>]*\\s*S\\s*C\\s*R\\s*I\\s*P\\s*T\\s*:|:|[\\s\\S]allowscriptaccess[\\s\\S]|[\\s\\S]src[\\s\\S]|[\\s\\S]data:text\\/html[\\s\\S]|[\\s\\S]xlink:href[\\s\\S]|[\\s\\S]base64[\\s\\S]|[\\s\\S]xmlns[\\s\\S]|[\\s\\S]xhtml[\\s\\S]|[\\s\\S]style[\\s\\S]|<style[^>]*>[\\s\\S]*?|[\\s\\S]@import[\\s\\S]|<applet[^>]*>[\\s\\S]*?|<meta[^>]*>[\\s\\S]*?|<object[^>]*>[\\s\\S]*?)" "phase:2,deny,auditlog,status:403,id:973338,t:none,rev:1,ver:OWASP_CRS/2.2.9,maturity:1,accuracy:8,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,msg:'XSS Filter - Category 3: Javascript URI Vector',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.i | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2100708; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "35"] [id "981136"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2100708: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pm jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" "phase:2,auditlog,status:403,id:981136,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,setvar:tx.pm_xss_score=+%{tx.critical_anomaly_score}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 32 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pm" with param "jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 214ea58; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "37"] [id "981018"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 214ea58: SecRule "&TX:PM_XSS_SCORE" "@eq 0" "phase:2,auditlog,status:403,id:981018,t:none,skipAfter:END_XSS_CHECK,nolog" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "eq" with param "0" against &TX:PM_XSS_SCORE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Operator EQ matched 0 at TX. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "37"] [id "981018"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 214ea58 id="END_XSS_CHECK" -> mode SKIP_RULES. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958016" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958414" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958032" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958026" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958027" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958054" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958418" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958034" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958019" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958013" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958408" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958012" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958423" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958002" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958017" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958007" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958047" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958410" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958415" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958022" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958405" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958419" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958028" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958057" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958031" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958006" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958033" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958038" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958409" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958001" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958005" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958404" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958023" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958010" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958411" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958422" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958036" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958000" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958018" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958406" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958040" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958052" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958037" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958049" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958030" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958041" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958416" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958024" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958059" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958417" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958020" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958045" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958004" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958421" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958009" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958025" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958413" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958051" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958420" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958407" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958056" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958011" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958412" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958008" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958046" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958039" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="958003" [chained 0] is trying to find the SecMarker="END_XSS_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 1d23298 id="END_XSS_CHECK". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_XSS_CHECK". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d33da8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "301"] [id "973300"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d33da8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973300,capture,t:none,t:jsDecode,t:lowercase,block,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: % | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) jsDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) jsDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d42918; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "304"] [id "973301"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d42918: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\ballowscriptaccess\\b|\\brel\\b\\W*?=" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973301,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\ballowscriptaccess\\b|\\brel\\b\\W*?=" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\ballowscriptaccess\\b|\\brel\\b\\W*?=" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d558b0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "309"] [id "973302"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d558b0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx .+application/x-shockwave-flash|image/svg\\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973302,capture,t:none,t:htmlEntityDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param ".+application/x-shockwave-flash|image/svg\\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param ".+application/x-shockwave-flash|image/svg\\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1d76fb8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "317"] [id "973303"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1d76fb8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\\b\\W*?=" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973303,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\\b\\W*?=" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\\b\\W*?=" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1da1e00; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "333"] [id "973304"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1da1e00: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973304,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dca398; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "351"] [id "973305"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dca398: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (asfunction|javascript|vbscript|data|mocha|livescript):" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973305,capture,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeNulls: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeWhitespace: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 38 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(asfunction|javascript|vbscript|data|mocha|livescript):" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeNulls: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeWhitespace: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 39 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(asfunction|javascript|vbscript|data|mocha|livescript):" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1dde428; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "359"] [id "973306"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1dde428: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx \\bstyle\\b\\W*?=" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973306,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bstyle\\b\\W*?=" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bstyle\\b\\W*?=" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e028c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "391"] [id "973307"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e028c8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (fromcharcode|alert|eval)\\s*\\(" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973307,capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) jsDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(fromcharcode|alert|eval)\\s*\\(" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) jsDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 29 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(fromcharcode|alert|eval)\\s*\\(" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e28f48; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "417"] [id "973308"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e28f48: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx background\\b\\W*?:\\W*?url|background-image\\b\\W*?:|behavior\\b\\W*?:\\W*?url|-moz-binding\\b|@import\\b|expression\\b\\W*?\\(" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973308,capture,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cssDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) replaceComments: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 48 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "background\\b\\W*?:\\W*?url|background-image\\b\\W*?:|behavior\\b\\W*?:\\W*?url|-moz-binding\\b|@import\\b|expression\\b\\W*?\\(" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) cssDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) replaceComments: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) removeWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 47 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "background\\b\\W*?:\\W*?url|background-image\\b\\W*?:|behavior\\b\\W*?:\\W*?url|-moz-binding\\b|@import\\b|expression\\b\\W*?\\(" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e6d5e0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "421"] [id "973309"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e6d5e0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <!\\[cdata\\[|\\]\\]>" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973309,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!\\[cdata\\[|\\]\\]>" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!\\[cdata\\[|\\]\\]>" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e83cc0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "432"] [id "973310"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e83cc0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx [/'\"<]xss[/'\">]" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973310,capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[/'\"<]xss[/'\">]" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[/'\"<]xss[/'\">]" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e904b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "437"] [id "973311"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e904b8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (88,83,83)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973311,capture,t:none,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:lowercase,block,msg:'XSS Attack Detected',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(88,83,83)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(88,83,83)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1e9f158; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "442"] [id "973312"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1e9f158: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx '';!--\"<xss>=&{()}" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973312,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "'';!--\"<xss>=&{()}" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "'';!--\"<xss>=&{()}" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ecabf8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "447"] [id "973313"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ecabf8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx &{" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973313,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,block,msg:'XSS Attack Detected',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "&{" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "&{" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ee14e0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "464"] [id "973314"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ee14e0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx <!(doctype|entity)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973314,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!(doctype|entity)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "r106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<!(doctype|entity)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ace_cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ef8430; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "472"] [id "973331"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ef8430: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<script.*?>)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973331,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<script.*?>)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<script.*?>)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f07d08; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "474"] [id "973315"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f07d08: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973315,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f2fc70; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "476"] [id "973330"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f2fc70: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<script.*?[ /+\\t]*?((src)|(xlink:href)|(href))[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973330,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<script.*?[ /+\\t]*?((src)|(xlink:href)|(href))[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<script.*?[ /+\\t]*?((src)|(xlink:href)|(href))[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f47600; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "478"] [id "973327"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f47600: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<[i]?frame.*?[ /+\\t]*?src[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973327,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<[i]?frame.*?[ /+\\t]*?src[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<[i]?frame.*?[ /+\\t]*?src[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f5d3e0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "480"] [id "973326"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f5d3e0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<.*[:]vmlframe.*?[ /+\\t]*?src[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973326,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 28 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<.*[:]vmlframe.*?[ /+\\t]*?src[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<.*[:]vmlframe.*?[ /+\\t]*?src[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f72ef8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "482"] [id "973346"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f72ef8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|( | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 76 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" agai | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" agai | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1f97dc8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "484"] [id "973345"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1f97dc8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973345,capture,logdata:'Matc | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fbd878; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "486"] [id "973324"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fbd878: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<EMBED[ /+\\t].*?((src)|(type)).*?=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973324,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<EMBED[ /+\\t].*?((src)|(type)).*?=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 56 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<EMBED[ /+\\t].*?((src)|(type)).*?=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1fdb528; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "488"] [id "973323"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1fdb528: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<[?]?import[ /+\\t].*?implementation[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973323,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<[?]?import[ /+\\t].*?implementation[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<[?]?import[ /+\\t].*?implementation[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ffee08; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "490"] [id "973322"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ffee08: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<META[ /+\\t].*?http-equiv[ /+\\t]*=[ /+\\t]*[\"\\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973322,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<META[ /+\\t].*?http-equiv[ /+\\t]*=[ /+\\t]*[\"\\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<META[ /+\\t].*?http-equiv[ /+\\t]*=[ /+\\t]*[\"\\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2014a78; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "492"] [id "973348"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2014a78: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<META[ /+\\t].*?charset[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973348,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<META[ /+\\t].*?charset[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<META[ /+\\t].*?charset[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2030b88; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "494"] [id "973321"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2030b88: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<LINK[ /+\\t].*?href[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973321,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<LINK[ /+\\t].*?href[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 95 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<LINK[ /+\\t].*?href[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 202b470; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "496"] [id "973320"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 202b470: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<BASE[ /+\\t].*?href[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973320,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<BASE[ /+\\t].*?href[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 70 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<BASE[ /+\\t].*?href[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 205d7c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "498"] [id "973318"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 205d7c8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<APPLET[ /+\\t>])" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973318,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<APPLET[ /+\\t>])" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<APPLET[ /+\\t>])" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2077128; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "500"] [id "973317"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2077128: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<OBJECT[ /+\\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\\t]*=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973317,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<OBJECT[ /+\\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\\t]*=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<OBJECT[ /+\\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\\t]*=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2099650; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "504"] [id "973347"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2099650: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'].*?[,].*(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]*(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]*(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]*(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\\\u0067)|(\\147)|(\\x67)))).*?:)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973347,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWA | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'].*?[,].*(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]*(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]*(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]*(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\\\u0067)|(\\147)|(\\x67)))).*?:)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'].*?[,].*(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]*(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]*(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]*(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\\\u0067)|(\\147)|(\\x67)))).*?:)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 49 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20c0ad0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20c0ad0: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\(.*?\\))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973335,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 53 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\(.*?\\))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\(.*?\\))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20da648; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "508"] [id "973334"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20da648: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'].*?\\)[ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\()" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973334,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 228 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'].*?\\)[ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\()" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 22 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'].*?\\)[ ]*(([^a-z0-9~_:\\' ])|(in)).+?\\()" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 20f81c8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 20f81c8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[.].+?=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973333,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[.].+?=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 48 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[.].+?=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2116d98; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "512"] [id "973344"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2116d98: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[\\[].*?[\\]].*?=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973344,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[\\[].*?[\\]].*?=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).+?[\\[].*?[\\]].*?=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2132b78; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "514"] [id "973332"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2132b78: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973332,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critic | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 108 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2152030; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "516"] [id "973329"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2152030: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<form.*?>)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973329,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<form.*?>)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<form.*?>)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2169558; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "518"] [id "973328"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2169558: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:<isindex[ /+\\t>])" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973328,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<isindex[ /+\\t>])" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:<isindex[ /+\\t>])" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2187608; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "520"] [id "973316"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2187608: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[ /+\\t\"\\'`]style[ /+\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973316,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 21 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]style[ /+\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]style[ /+\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 21a5338; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "522"] [id "973325"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 21a5338: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[ /+\\t\"\\'`]on\\[a-z]\\[a-z]\\[a-z]+?[ +\\t]*?=.)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973325,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]on\\[a-z]\\[a-z]\\[a-z]+?[ +\\t]*?=.)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 50 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]on\\[a-z]\\[a-z]\\[a-z]+?[ +\\t]*?=.)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 21cace8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "524"] [id "973319"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 21cace8: SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@rx (?i:[ /+\\t\"\\'`]datasrc[ +\\t]*?=.)" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,id:973319,capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:OWASP_CRS/WEB_ATTACK/XSS,tag:WASCTC/WASC-8,tag:WASCTC/WASC-22,tag:OWASP_TOP_10/A2,tag:OWASP_AppSensor/IE1,tag:PCI/6.5.1,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" to "REQUEST_COOKIES:ACE_COOKIE|REQUEST_COOKIES_NAMES:ACE_COOKIE". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]datasrc[ +\\t]*?=.)" against REQUEST_COOKIES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) compressWhitespace: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 19 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:[ /+\\t\"\\'`]datasrc[ +\\t]*?=.)" against REQUEST_COOKIES_NAMES:ACE_COOKIE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2208750; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "31"] [id "958297"] [rev "2.2.9"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2208750: SecRule "REQUEST_HEADERS:User-Agent" "@pmFromFile modsecurity_42_comment_spam.data" "phase:2,status:404,chain,rev:2.2.9,t:none,t:lowercase,pass,nolog,auditlog,msg:'Common SPAM/Email Harvester crawler',id:958297,tag:AUTOMATION/MALICIOUS,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 24 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "pmFromFile" with param "modsecurity_42_comment_spam.data" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 15 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.msg=%{rule.msg} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{rule.msg} to: Common SPAM/Email Harvester crawler | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.msg" to "Common SPAM/Email Harvester crawler". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.automation_score=+%{tx.warning_anomaly_score} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Recorded original collection variable: tx.automation_score = "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.warning_anomaly_score} to: 3 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Relative change: automation_score=0+3 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.automation_score" to "3". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.anomaly_score=+%{tx.warning_anomaly_score} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Recorded original collection variable: tx.anomaly_score = "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.warning_anomaly_score} to: 3 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Relative change: anomaly_score=0+3 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.anomaly_score" to "3". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{rule.id} to: 958297 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{matched_var_name} to: REQUEST_HEADERS:User-Agent | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{matched_var} to: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3) | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.958297-AUTOMATION/MALICIOUS-REQUEST_HEADERS:User-Agent" to "mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e; infopath.3)". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 22548b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "32"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 22548b8: SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(?:m(?:o(?:zilla\\/4\\.0\\+?\\(|vable type)|i(?:crosoft url|ssigua)|j12bot\\/v1\\.0\\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\\/| )1\\.)|c(?:ore-project\\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\\/|httpproxy|<sc)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(?:m(?:o(?:zilla\\/4\\.0\\+?\\(|vable type)|i(?:crosoft url|ssigua)|j12bot\\/v1\\.0\\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\\/| )1\\.)|c(?:ore-project\\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\\/|httpproxy|<sc)" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 7 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 225c598; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "36"] [id "999010"] [rev "2.2.9"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 225c598: SecRule "ARGS|ARGS_NAMES" "@rx \\bhttp:" "phase:2,auditlog,status:403,rev:2.2.9,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,id:999010,severity:6" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 226de20; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "38"] [id "999011"] [rev "2.2.9"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 226de20: SecAction "phase:2,auditlog,status:403,id:999011,rev:2.2.9,nolog,skipAfter:END_COMMENT_SPAM" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "10.101.161.59" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Unconditional match in SecAction. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "38"] [id "999011"] [rev "2.2.9"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 226de20 id="END_COMMENT_SPAM" -> mode SKIP_RULES. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="950923" [chained 0] is trying to find the SecMarker="END_COMMENT_SPAM" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="(null)" [chained 1] is trying to find the SecMarker="END_COMMENT_SPAM" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="950020" [chained 0] is trying to find the SecMarker="END_COMMENT_SPAM" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 2304710 id="END_COMMENT_SPAM". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_COMMENT_SPAM". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2304e78; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_42_tight_security.conf"] [line "20"] [id "950103"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2304e78: SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@rx (?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:7,t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:950103,severity:2,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,capture,tag:OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" to "REQUEST_URI|REQUEST_HEADERS:x-requested-with|REQUEST_HEADERS:Accept-Language|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Accept-Encoding|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Content-Length|REQUEST_HEADERS:Connection|REQUEST_HEADERS:Cache-Control|REQUEST_HEADERS:Cookie". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_URI. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:x-requested-with. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "XMLHttpRequest" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Accept-Language. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "en-gb" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Accept. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json, text/javascript, */*; q=0.01" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 30 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 15 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "application/json; charset=UTF-8" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Accept-Encoding. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "gzip, deflate" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 6 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Host. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "xxx.yyy.com" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Content-Length. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "51" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Connection. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Keep-Alive" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Cache-Control. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "no-cache" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 7 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\\.){2}(?:\\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\\/))" against REQUEST_HEADERS:Cookie. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "ACE_COOKIE=R106026280" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2313478; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_45_trojans.conf"] [line "31"] [id "950110"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2313478: SecRule "REQUEST_HEADERS_NAMES" "@rx x_(?:key|file)\\b" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:950110,tag:OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN,tag:WASCTC/WASC-01,tag:OWASP_TOP_10/A7,tag:PCI/5.1.1,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Expanded "REQUEST_HEADERS_NAMES" to "REQUEST_HEADERS_NAMES:x-requested-with|REQUEST_HEADERS_NAMES:Accept-Language|REQUEST_HEADERS_NAMES:Referer|REQUEST_HEADERS_NAMES:Accept|REQUEST_HEADERS_NAMES:Content-Type|REQUEST_HEADERS_NAMES:Accept-Encoding|REQUEST_HEADERS_NAMES:User-Agent|REQUEST_HEADERS_NAMES:Host|REQUEST_HEADERS_NAMES:Content-Length|REQUEST_HEADERS_NAMES:Connection|REQUEST_HEADERS_NAMES:Cache-Control|REQUEST_HEADERS_NAMES:Cookie". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "x-requested-with" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:x-requested-with. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "x-requested-with" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept-language" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 12 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Accept-Language. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept-language" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "referer" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 63 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Referer. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "referer" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Accept. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "content-type" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Content-Type. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "content-type" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "accept-encoding" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Accept-Encoding. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "accept-encoding" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "user-agent" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 16 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "user-agent" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "host" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Host. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "host" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "content-length" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 29 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Content-Length. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "content-length" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "connection" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Connection. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "connection" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "cache-control" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 11 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Cache-Control. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "cache-control" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 10 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "x_(?:key|file)\\b" against REQUEST_HEADERS_NAMES:Cookie. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "cookie" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 231ddc8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_45_trojans.conf"] [line "33"] [id "950921"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 231ddc8: SecRule "REQUEST_FILENAME" "@rx root\\.exe" "phase:2,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:950921,tag:OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN,tag:WASCTC/WASC-01,tag:OWASP_TOP_10/A7,tag:PCI/5.1.1,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 97 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "root\\.exe" against REQUEST_FILENAME. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "/scan/info/authenticate/login/" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b750d8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_47_common_exceptions.conf"] [line "16"] [id "981020"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b750d8: SecRule "REQUEST_LINE" "@rx ^GET /$" "phase:2,auditlog,status:403,chain,id:981020,t:none,pass,nolog" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^GET /$" against REQUEST_LINE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST /scan/info/authenticate/login/ HTTP/1.1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b83748; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_47_common_exceptions.conf"] [line "24"] [id "981021"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b83748: SecRule "REQUEST_LINE" "@rx ^(GET /|OPTIONS \\*) HTTP/1.0$" "phase:2,auditlog,status:403,chain,id:981021,t:none,pass,nolog" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^(GET /|OPTIONS \\*) HTTP/1.0$" against REQUEST_LINE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST /scan/info/authenticate/login/ HTTP/1.1" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][6] Ignoring regex captures since "capture" action is not enabled. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 13 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b905f0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_47_common_exceptions.conf"] [line "34"] [id "981022"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b905f0: SecRule "REQUEST_METHOD" "@streq POST" "phase:2,auditlog,status:403,chain,id:981022,t:none,pass,nolog" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "streq" with param "POST" against REQUEST_METHOD. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "POST" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b90f70; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_47_common_exceptions.conf"] [line "35"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b90f70: SecRule "REQUEST_HEADERS:User-Agent" "@contains Adobe Flash Player" "chain,t:none" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "contains" with param "Adobe Flash Player" against REQUEST_HEADERS:User-Agent. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b99c68; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "19"] [id "981175"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b99c68: SecRule "TX:ANOMALY_SCORE" "@gt 0" "phase:2,auditlog,status:403,chain,id:981175,t:none,deny,log,msg:'Inbound Attack Targeting OSVDB Flagged Resource.',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "gt" with param "0" against TX:anomaly_score. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_tx_msg=%{tx.msg} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.msg} to: Common SPAM/Email Harvester crawler | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_tx_msg" to "Common SPAM/Email Harvester crawler". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_anomaly_score=%{tx.anomaly_score} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.anomaly_score} to: 3 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_anomaly_score" to "3". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b9ae98; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "20"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b9ae98: SecRule "RESOURCE:OSVDB_VULNERABLE" "@eq 1" "chain" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b9db30; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b9db30: SecRule "TX:ANOMALY_SCORE" "@gt 0" "phase:2,auditlog,status:403,chain,id:981176,t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "gt" with param "0" against TX:anomaly_score. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_tx_msg=%{tx.msg} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.msg} to: Common SPAM/Email Harvester crawler | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_tx_msg" to "Common SPAM/Email Harvester crawler". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Setting variable: tx.inbound_anomaly_score=%{tx.anomaly_score} | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.anomaly_score} to: 3 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Set variable "tx.inbound_anomaly_score" to "3". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Match -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b9fba8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "27"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b9fba8: SecRule "TX:ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_level}" "chain" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "ge" with param "%{tx.inbound_anomaly_score_level}" against TX:anomaly_score. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.inbound_anomaly_score_level} to: 5 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 38 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Hook insert_filter: Adding input forwarding filter (r 7fbe1c002970). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Hook insert_filter: Adding output filter (r 7fbe1c002970). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Forwarding input: mode=0, block=0, nbytes=16384 (f 7fbe180018d0, r 7fbe1c002970). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Forwarded 51 bytes. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Sent EOS. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Input filter: Input forwarding complete. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Receiving output (f 7fbe180018f8, r 7fbe1c002970). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase RESPONSE_HEADERS. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 23 rule(s). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Output filter: Not buffering response body for unconfigured MIME type "application/json". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Content Injection: Not enabled. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Sending input brigade directly. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Receiving output (f 7fbe180018f8, r 7fbe1c002970). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Sending input brigade directly. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Receiving output (f 7fbe180018f8, r 7fbe1c002970). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Output filter: Completed receiving response body (non-buffering). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 62 rule(s). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b701d0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_45_trojans.conf"] [line "35"] [id "950922"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b701d0: SecRule "RESPONSE_BODY" "@rx (?:<title>[^<]*?(?:\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\\b|\\.::(?:news remote php shell injection::\\.| rhtools\\b)|ph(?:p(?:(?: commander|-terminal)\\b|remoteview)|vayv)|myshell)|\\b(?:(?:(?:microsoft windows\\b.{0,10}?\\bversion\\b.{0,20}?\\(c\\) copyright 1985-.{0,10}?\\bmicrosoft corp|ntdaddy v1\\.9 - obzerve \\| fux0r inc)\\.|(?:www\\.sanalteror\\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\\b|aventgrup\\.<br>|drwxr))" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:8,accuracy:8,t:none,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:950922,tag:OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN,tag:WASCTC/WASC-01,tag:OWASP_TOP_10/A7,tag:PCI/5.1.1,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.error_anomaly_ | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:<title>[^<]*?(?:\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\\b|\\.::(?:news remote php shell injection::\\.| rhtools\\b)|ph(?:p(?:(?: commander|-terminal)\\b|remoteview)|vayv)|myshell)|\\b(?:(?:(?:microsoft windows\\b.{0,10}?\\bversion\\b.{0,20}?\\(c\\) copyright 1985-.{0,10}?\\bmicrosoft corp|ntdaddy v1\\.9 - obzerve \\| fux0r inc)\\.|(?:www\\.sanalteror\\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\\b|aventgrup\\.<br>|drwxr))" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 8 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ba1000; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "20"] [id "970007"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ba1000: SecRule "RESPONSE_BODY" "@rx <h2>Site Error<\\/h2>.{0,20}<p>An error was encountered while publishing this resource\\." "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Zope Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970007,tag:OWASP_CRS/LEAKAGE/ERRORS_ZOPE,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<h2>Site Error<\\/h2>.{0,20}<p>An error was encountered while publishing this resource\\." against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1ba9238; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "24"] [id "970008"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1ba9238: SecRule "RESPONSE_BODY" "@rx \\bThe error occurred in\\b.{0,100}: line\\b.{0,1000}\\bColdFusion\\b.*?\\bStack Trace \\(click to expand\\)" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970008,tag:OWASP_CRS/LEAKAGE/ERRORS_CF,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\bThe error occurred in\\b.{0,100}: line\\b.{0,1000}\\bColdFusion\\b.*?\\bStack Trace \\(click to expand\\)" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1baf9a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "28"] [id "970009"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1baf9a8: SecRule "RESPONSE_BODY" "@rx <b>Warning<\\/b>.{0,100}?:.{0,1000}?\\bon line\\b" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970009,tag:OWASP_CRS/LEAKAGE/ERRORS_PHP,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<b>Warning<\\/b>.{0,100}?:.{0,1000}?\\bon line\\b" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bb6348; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "32"] [id "970010"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bb6348: SecRule "RESPONSE_BODY" "@rx \\b403 Forbidden\\b.*?\\bInternet Security and Acceleration Server\\b" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'ISA server existence revealed',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970010,tag:MISCONFIGURATION,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\b403 Forbidden\\b.*?\\bInternet Security and Acceleration Server\\b" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bbc768; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "36"] [id "970012"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bbc768: SecRule "RESPONSE_BODY" "@rx <o:documentproperties>" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,block,msg:'Microsoft Office document properties leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970012,tag:OWASP_CRS/LEAKAGE/INFO_STATISTICS,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<o:documentproperties>" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bc4af8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "39"] [id "970903"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bc4af8: SecRule "RESPONSE_BODY" "@rx \\<\\%" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970903,tag:OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "\\<\\%" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bc3198; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "45"] [id "970016"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bc3198: SecRule "RESPONSE_BODY" "@rx <cf" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970016,tag:OWASP_CRS/LEAKAGE/SOURCE_CODE_CF,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "<cf" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bcb1d0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "49"] [id "970018"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bcb1d0: SecRule "RESPONSE_BODY" "@rx [a-z]:\\\\inetpub\\b" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,t:lowercase,ctl:auditLogParts=+E,block,msg:'IIS installed in default location',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970018,severity:3,chain" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 9 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "[a-z]:\\\\inetpub\\b" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1bd25e8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1bd25e8: SecRule "RESPONSE_STATUS" "@rx ^5\\d{2}$" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970901,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^5\\d{2}$" against RESPONSE_STATUS. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "200" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 5 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c33700; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "55"] [id "970118"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c33700: SecRule "RESPONSE_BODY" "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)<br>Timeout expired<br>)|<h1>internal server error<\\/h1>.*?<h2>part of the server has crashed or it has a configuration error\\.<\\/h2>|cannot connect to the server: timed out)" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970118,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?:Microsoft OLE DB Provider for SQL Server(?:<\\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)<br>Timeout expired<br>)|<h1>internal server error<\\/h1>.*?<h2>part of the server has crashed or it has a configuration error\\.<\\/h2>|cannot connect to the server: timed out)" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c38020; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "58"] [id "970021"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c38020: SecRule "RESPONSE_STATUS" "@rx ^500$" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'WebLogic information disclosure',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970021,severity:3" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "^500$" against RESPONSE_STATUS. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "200" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c3d3a8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "62"] [id "970011"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c3d3a8: SecRule "RESPONSE_BODY" "@rx href\\s?=[\\s\"\\']*[A-Za-z]\\:\\x5c([^\"\\']+)" "phase:4,log,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,chain,capture,t:none,ctl:auditLogParts=+E,block,msg:'File or Directory Names Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:970011,tag:OWASP_CRS/LEAKAGE/INFO_FILE,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,severity:3" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "href\\s?=[\\s\"\\']*[A-Za-z]\\:\\x5c([^\"\\']+)" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c458d0; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "69"] [id "981177"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c458d0: SecRule "RESPONSE_BODY" "!@pm iframe" "phase:4,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) lowercase: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 20 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!pm" with param "iframe" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Match of "pm iframe" against "RESPONSE_BODY" required. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "69"] [id "981177"] [rev "2"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "6"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 1c458d0 id="END_IFRAME_CHECK" -> mode SKIP_RULES. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981000" [chained 0] is trying to find the SecMarker="END_IFRAME_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981001" [chained 0] is trying to find the SecMarker="END_IFRAME_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981003" [chained 0] is trying to find the SecMarker="END_IFRAME_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 1c59608 id="END_IFRAME_CHECK". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_IFRAME_CHECK". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c59c80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "84"] [id "981004"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c59c80: SecRule "RESPONSE_BODY" "@rx (?i)(String\\.fromCharCode\\(.*?){4,}" "phase:4,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Excessive fromCharCode',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:981004,tag:OWASP_CRS/MALICIOUS_CODE,tag:bugtraq,13544,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(String\\.fromCharCode\\(.*?){4,}" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 4 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c5daa8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "87"] [id "981005"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c5daa8: SecRule "RESPONSE_BODY" "@rx (?i)(eval\\(.{0,15}unescape\\()" "phase:4,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Eval+Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:981005,tag:OWASP_CRS/MALICIOUS_CODE,tag:bugtraq,13544,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(eval\\(.{0,15}unescape\\()" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c65a80; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "90"] [id "981006"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c65a80: SecRule "RESPONSE_BODY" "@rx (?i)(var[^=]+=\\s*unescape\\s*;)" "phase:4,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:981006,tag:OWASP_CRS/MALICIOUS_CODE,tag:bugtraq,13544,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i)(var[^=]+=\\s*unescape\\s*;)" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c6bab8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "93"] [id "981007"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c6bab8: SecRule "RESPONSE_BODY" "@rx (?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" "phase:4,log,auditlog,status:403,t:none,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Heap Spray',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:981007,tag:OWASP_CRS/MALICIOUS_CODE,tag:bugtraq,13544,severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "rx" with param "(?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1c719b8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "102"] [id "981178"] [rev "2"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1c719b8: SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" "phase:4,auditlog,status:403,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) urlDecodeUni: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] T (0) htmlEntityDecode: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 24 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "!pmFromFile" with param "modsecurity_50_outbound.data" against RESPONSE_BODY. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Warning. Match of "pmFromFile modsecurity_50_outbound.data" against "RESPONSE_BODY" required. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_50_outbound.conf"] [line "102"] [id "981178"] [rev "2"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 1c719b8 id="END_OUTBOUND_CHECK" -> mode SKIP_RULES. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970014" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970015" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970902" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="(null)" [chained 1] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970002" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970003" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970004" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970904" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="(null)" [chained 1] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="970013" [chained 0] is trying to find the SecMarker="END_OUTBOUND_CHECK" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 227ead0 id="END_OUTBOUND_CHECK". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_OUTBOUND_CHECK". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 227efe8; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_59_outbound_blocking.conf"] [line "24"] [id "981200"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 227efe8: SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge %{tx.outbound_anomaly_score_level}" "phase:4,log,auditlog,status:403,chain,id:981200,t:none,deny,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}'" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "ge" with param "%{tx.outbound_anomaly_score_level}" against TX:outbound_anomaly_score. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.outbound_anomaly_score_level} to: 4 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 17 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Output filter: Output forwarding complete. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Output filter: Sending input brigade directly. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Initialising logging. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Starting phase LOGGING. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] This phase consists of 32 rule(s). | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 1b28638; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "82"] [id "981227"] [rev "1"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 1b28638: SecRule "WEBSERVER_ERROR_LOG" "@contains Invalid URI in request" "phase:5,log,auditlog,status:403,msg:'Apache Error: Invalid URI in Request.',severity:4,id:981227,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,logdata:%{request_line},pass,t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ,tag:CAPEC-272,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, not chained -> mode NEXT_RULE. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2281070; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "22"] [id "981201"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2281070: SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1" "phase:5,auditlog,status:403,chain,id:981201,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 2285330; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "29"] [id "981202"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 2285330: SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1" "phase:5,auditlog,status:403,chain,id:981202,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "0" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 2 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 0. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] No match, chained -> mode NEXT_CHAIN. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 228b928; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 228b928: SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" "phase:5,status:403,chain,id:981203,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "gt" with param "0" against TX:inbound_anomaly_score. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 3 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Skipping after rule 228b928 id="END_CORRELATION" -> mode SKIP_RULES. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recipe: Invoking rule 228cc30; [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "34"]. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][5] Rule 228cc30: SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt %{tx.inbound_anomaly_score_level}" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Transformation completed in 1 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Executing operator "lt" with param "%{tx.inbound_anomaly_score_level}" against TX:inbound_anomaly_score. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Target value: "3" | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.inbound_anomaly_score_level} to: 5 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Operator completed in 50 usec. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{TX.INBOUND_ANOMALY_SCORE} to: 3 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{TX.SQL_INJECTION_SCORE} to: 0 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{TX.XSS_SCORE} to: 0 | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Resolved macro %{tx.inbound_tx_msg} to: Common SPAM/Email Harvester crawler | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][2] Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/opt/apache/common_modsecurity/modsecconf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Common SPAM/Email Harvester crawler"] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Rule returned 1. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981204" [chained 0] is trying to find the SecMarker="END_CORRELATION" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Current rule is id="981205" [chained 0] is trying to find the SecMarker="END_CORRELATION" [stater 0] | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][9] Found rule 22916f0 id="END_CORRELATION". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Continuing execution after rule id="END_CORRELATION". | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Recording persistent data took 0 microseconds. | |
[19/Mar/2014:17:23:51 +0100] [xxx.yyy.com/sid#2292138][rid#7fbe1c002970][/scan/info/authenticate/login/][4] Audit log: Ignoring a non-relevant request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment