Hello Mike,
The rule looks to be 340165 and the message looks like this:
Quote:
Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "507"] [id "340165"] [rev "278"] [msg "Atomicorp.com WAF Rules: Uniencoded possible Remote File Injection attempt in URI (AE)"] [data "/reserves/459?errors=yes&save_+_close=save&processtype=detail&basehref=/reserves/459/&reserve_name=loch of the lowes&reserve_seoname=loch-of-the-lowes&reserve_code=lol®ion_id=12&active=y&public_access=y&item_id=459&user_id=57&item_url=/reserves/459&module_base_url=/reserves/&reserve_latitude=56.57412523&reserve_longitude=-3.56099606&os_reference=no041435&os_landranger=52&nearest_town=dunkeld&nearest_town_dist=2&nearest_reserve_id=486&nearest_reserve_dist=21&reserve_directions=the reserve is situated 1..."] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://" at REQUEST_URI.
Action: Intercepted (phase 2)
Stopwatch: 1341907836022849 41139 (- - -)
Stopwatch2: 1341907836022849 41139; combined=39617, p1=109, p2=39494, p3=0, p4=0, p5=13, sr=0, sw=1, l=0, gc=0
WAF: ModSecurity for Apache/2.6.6 (
http://www.modsecurity.org/); 201207092231.
Server: Apache
The data submitted is pretty benign, we can change the format but it looks (to me) like it's only being triggered because there is a URL in the data which would not explain the problem as lots of forms are submitted with URL's and they are not blocked.
Quote:
GET /reserves/459?errors=yes&save_%2B_close=save&processtype=detail&basehref=%2Freserves%2F459%2F&reserve_name=Loch+of+the+Lowes&reserve_seoname=loch-of-the-lowes&reserve_code=LOL®ion_id=12&active=Y&public_access=Y&item_id=459&user_id=57&item_url=%2Freserves%2F459&module_base_url=%2Freserves%2F&reserve_latitude=56.57412523&reserve_longitude=-3.56099606&os_reference=NO041435&os_landranger=52&nearest_town=Dunkeld&nearest_town_dist=2&nearest_reserve_id=486&nearest_reserve_dist=21&reserve_directions=The+reserve+is+situated+16+miles+north+of+Perth+and+two+miles+north-east+of+Dunkeld%2C+just+off+the+A923+Dunkeld+to+Blairgowrie+road+%28signposted+from+the+A9%29.+The+car-park+is+situated+at+the+roadside+120m+from+the+Centre%2C+and+is+linked+by+a+wheelchair-friendly+path.+Visitors+can+also+walk+from+Dunkeld+using+the+Fungarth+Walk%2C+which+is+about+two+miles+in+length.&getting_onto_reserve=Follow+the+access+track+to+the+disabled+car-park+and+Visitor+Centre.&image_id=1987&reserve_leaflet_file_id=1094&area_leaflet_file_id=0&reserve_map_file_id=934&blog_link=http%3A%2F%2Fblogs.scottishwildlifetrust.org.uk%2Fosprey%2F&webcam_link=%2Fthings-to-do%2Fwildlife-webcams%2Floch-of-lowes%2F&google_earth_link=&multiselect_facilities%5B0%5D=2&multiselect_facilities%5B1%5D=4&multiselect_facilities%5B2%5D=5&multiselect_facilities%5B3%5D=6&multiselect_facilities%5B4%5D=10&multiselect_facilities%5B5%5D=11&multiselect_facilities%5B6%5D=12&multiselect_facilities%5B7%5D=13&multiselect_facilities%5B8%5D=15&multiselect_facilities%5B9%5D=16&multiselect_facilities%5B10%5D=17&multiselect_facilities%5B11%5D=18&multiselect_facilities%5B12%5D=19&multiselect_facilities%5B13%5D=21&multiselect_facilities%5B14%5D=22&multiselect_facilities%5B15%5D=23&multiselect_facilities%5B16%5D=29&multiselect_facilities%5B17%5D=30&multiselect_multiselect_facilities=30&reserve_description=%3Cp%3E%0D%0A%09A+large+freshwater+loch+with+a+diverse+aquatic+flora%2C+fringed+by+areas+of+fen%2C+reedbeds+and+semi-natural+woodland.+From+early+April+to+late+August%2C+a+pair+of+breeding+ospreys+nest+close+to+the+observation+hides.%3C%2Fp%3E%0D%0A&other_information=%3Ch3%3E%0D%0A%09Perthshire+reserves+education+programme%3C%2Fh3%3E%0D%0A%3Cp%3E%0D%0A%09The+Trust%26%2339%3Bs+Perthshire+Ranger+runs+a+full+and+varied+education+programme+based+at+Loch+of+the+Lowes.+%3Ca+href%3D%22http%3A%2F%2Fscottishwildlifetrust.org.uk%2Fdocs%2F002__057__other_leaflets__Perthshire_reserve_profiles_for_teachers___May_2012__1336746518.pdf%22+target%3D%22_blank%22%3EClick+here+for+more+information%3C%2Fa%3E.%3C%2Fp%3E%0D%0A&why_visit_1=Pair+of+breeding+ospreys&why_visit_2=Close+up+view+of+red+squirrels&why_visit_3=See+fallow+%26+roe+deer+from+the+hide&why_visit_4=Bird+feeders+from+viewing+window&multiselect_visitfor%5B0%5D=1&multiselect_visitfor%5B1%5D=2&multiselect_visitfor%5B2%5D=4&multiselect_visitfor%5B3%5D=8&multiselect_visitfor%5B4%5D=9&multiselect_multiselect_visitfor=9&best_time_visit_1=Apr-Aug+for+ospreys&best_time_visit_2=Mar-Nov+for+red+squirrels&best_time_visit_3=All+year+round+for+wildfowl&best_time_visit_4=Anytime+for+bird+feeders+%26+deer&multiselect_species%5B0%5D=16&multiselect_species%5B1%5D=34&multiselect_species%5B2%5D=56&multiselect_species%5B3%5D=57&multiselect_species%5B4%5D=64&multiselect_species%5B5%5D=79&multiselect_species%5B6%5D=84&multiselect_species%5B7%5D=86&multiselect_species%5B8%5D=88&multiselect_multiselect_species=88&access_restrictions=Only+guide+dogs+are+permitted+at+the+Visitor+Centre.&custom_tab_name=&custom_tab_description=&visitor_centre=Y&opening_times=1+Nov+to+29+Feb%3A+open+Fri+to+Sun+only+from+10.30+am+to+4+pm+%0D%0A1+Mar+to+31+Oct%3A+open+daily+from+10.30+am+to+5+pm%0D%0AClosed+23+to+25+Dec+%26+30+Dec+to+1+January¢re_telephone=01350+727+337¢re_email=lochofthelowes%40swt.org.uk&visitor_centre_link=%2Fvisit%2Fvisitor-centres%2Floch-of-the-lowes%2F HTTP/1.1
Host: XXX
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Login
Register
FAQ
Search
