libmodsecurity HTTP method issue

[brianp9906]

libmodsecurity with ModSecurity-apache connector is flagging protocol enforcement incorrectly. This is due to a parsing issue it appears because modsec audit log shows it too, but my Chrome beta branch browser just shows HTTP/1.1.

ModSecurity: Warning. Matched "Operator Within' with parameter HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'' against variable REQUEST_PROTOCOL' (Value: HTTP/HTTP/1.1' ) [file "/etc/httpd/modsecurity.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "944"] [id "920430"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/HTTP/1.1"]

---pkzg8q5T---B-- GET /stuff/?query=stuff HTTP/HTTP/1.1

Changing crs-setup.conf to have 'HTTP/HTTP/1.1' does resolve the issue.

[zimmerle]

Hi @brianp9906,

Thank you for the report. What you were using as connector? And what are the versions of libModSecurity and connector?

[zimmerle]

It seems to be related to: ModSecurity-apache/pull/21

[brianp9906]

Using the v3 ga release of libmodsecurity and the ModSecurity-apache connector.

[Wed Mar 21 12:48:17.868265 2018] [:notice] [pid 2732] ModSecurity: ModSecurity-Apache v0.1.1-beta configured.

Additionally, I'm noticing that it blocks stuff properly in request headers, but its not scanning the request body for post requests. Not sure why yet.

[zimmerle]

Please, have a look here:
owasp-modsecurity/ModSecurity-apache#21

[victorhora]

@brianp9906

The issue with the method has been solved by commit 0b83daf as mentioned by @zimmerle

About the body scanning issue see owasp-modsecurity/ModSecurity-apache#22. Let us know if this works for you by following up on that pull request.

Thanks.