10_asl_rules blocking mobile Java requests

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
rhopek
Forum User
Forum User
Posts: 7
Joined: Mon Jul 25, 2011 5:15 pm
Location: Atlanta

10_asl_rules blocking mobile Java requests

Unread post by rhopek »

We have a customer that has a mobile application. Everything was working fine until we deployed mod_secuirty with Atomicorp rules. the audit log is as follows:

---
--d240b57d-B--
POST /servlet/put HTTP/1.1
User-Agent: Profile/MIDP-1.0 Configuration/CLDC-1.0 UNTRUSTED/1.0
Content-Type: multipart/form-data; boundary=hmConsultants
Host: xxxxxxxxxx.org
Transfer-Encoding: chunked
Connection: Keep-Alive

--d240b57d-I--
dir=baghdad
--d240b57d-F--
HTTP/1.1 403 Forbidden
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1

--d240b57d-H--
Message: Access denied with code 403 (phase 2). Match of "rx ^$" against "REQUEST_HEADERS:Transfer-Encoding" required. [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "57"] [id "340001"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Dis-allowed Transfer Encoding - modsecurity does not support this encoding and can not detect attacks using it, therefore it must be blocked."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: jakarta-servlet
Stopwatch: 1312096261909606 174844 (174338* 174534 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache

--d240b57d-Z--
---

The customer reports they have tried a multitude of encoding mechanisms after seeing this in their logs, but cannot seem to get around it. Any thoughts? Could it be that "boundary" variable in the content-type?

Thx.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: 10_asl_rules blocking mobile Java requests

Unread post by mikeshinn »

If you are using modsecurity 2.6, you can disable this rule.
rhopek
Forum User
Forum User
Posts: 7
Joined: Mon Jul 25, 2011 5:15 pm
Location: Atlanta

Re: 10_asl_rules blocking mobile Java requests

Unread post by rhopek »

We are using "mod_security-2.5.13-1.el5.art" from your site.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: 10_asl_rules blocking mobile Java requests

Unread post by mikeshinn »

You're a little behind and need to upgrade. 2.6.1 has been available in atomic channel for at least a week, so make sure you upgrade.
rhopek
Forum User
Forum User
Posts: 7
Joined: Mon Jul 25, 2011 5:15 pm
Location: Atlanta

Re: 10_asl_rules blocking mobile Java requests

Unread post by rhopek »

Thanks. Done.

Just waiting to hear back from that customer to see if it fixed their issue.

Out of curiosity, why does 2.6 allow that rule to be disabled?

Thx.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: 10_asl_rules blocking mobile Java requests

Unread post by mikeshinn »

That encoding type is supported.
rhopek
Forum User
Forum User
Posts: 7
Joined: Mon Jul 25, 2011 5:15 pm
Location: Atlanta

Re: 10_asl_rules blocking mobile Java requests

Unread post by rhopek »

That did get that portion through (thanks), but now he's failing on:

---
msg "Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header"
---

This is a mobile MIDP Java application connecting, and no matter what he tries, he cannot get it to send a Content-Length header. He spent all night trying to do it.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: 10_asl_rules blocking mobile Java requests

Unread post by mikeshinn »

We need a little more detail, could you follow the process at the link below to provide the audit event for this:

https://www.atomicorp.com/wiki/index.ph ... _Positives
Post Reply