store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Mon May 20, 2013 5:34 am

View unanswered posts | View active topics


Board index » Customer Support Forums » Atomic Secured Linux Support

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 4 posts ] 
  Print view Previous topic | First unread post | Next topic 
Author Message
Sempiterna
 Post subject: Question about rule 390616
Unread postPosted: Thu Oct 13, 2011 4:31 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jun 24, 2008 12:05 pm
Posts: 145
Since october 1st i am receiving a ton of log messages (and people being blocked) about rule 390616:

Quote:
Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "61"] [id "390616"] [rev "2"] [msg "Atomicorp.com WAF Rules: POST request must have a Content-Length header"] [severity "WARNING"] Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS.


This seems to be triggered by my ajax poller that, depending on if there is new data or not, sends back a 304 code (not modified) or the standard response if there is changed data.

What is this rule for exactly? I had to globally disable this rule to stop people from being banned.
Top
 Profile  
 
mikeshinn
 Post subject: Re: Question about rule 390616
Unread postPosted: Thu Oct 13, 2011 5:38 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3243
Location: Chantilly, VA
I'm on the run to a dinner, so heres the RFC reference this relates to:

http://www.w3.org/Protocols/rfc2616/rfc ... l#sec14.13

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.

Top
 Profile  
 
Sempiterna
 Post subject: Re: Question about rule 390616
Unread postPosted: Fri Oct 14, 2011 7:30 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jun 24, 2008 12:05 pm
Posts: 145
I assume i can safely disable this rule. It also probably is not an ASL issue. The problem surfaced after i moved from Prototype JS to Jquery JS on October 1st.
Top
 Profile  
 
mikeshinn
 Post subject: Re: Question about rule 390616
Unread postPosted: Fri Oct 14, 2011 12:07 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3243
Location: Chantilly, VA
Quote:
I assume i can safely disable this rule.


That depends on your applications. If they can not be compromised by this header lacking (so they dont set their buffers correctly) then potentially. I wouldnt assume they can do that.

Quote:
It also probably is not an ASL issue. The problem surfaced after i moved from Prototype JS to Jquery JS on October 1st.


Correct. Its an OLD rule, so its not anything we added recently. Its been there for years. This sounds like your application doesnt do things according to the RFC.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 4 posts ] 

Board index » Customer Support Forums » Atomic Secured Linux Support

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: diego and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group