The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security and false positive?

Discussion in 'Security' started by upsforum, Nov 27, 2013.

  1. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    I have this rule that block any ip of my customer, but is a false positive? I don't understand what do it

    Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]
     
  2. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    These are actions that trig this rule of modsec:


    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"

    PROPFIND is for webdav service? is normally that modsec block these requests?
     
Loading...

Share This Page