ModSecurity Question...

I am monitoring the error logs on one of our servers and an entry that I keep seeing looks serious... and I just wanted to check with you guys if there is anything going on here and if there is anything that we should be doing to stop this. Here is the entry:

[Thu Aug 06 18:30:54 2009] [error] [client 122.162.154.231] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "v___s.com.au"] [uri "/"] [unique_id "8CiXEXZ-DmgAACbYkXkAAAAR"]

Thanks.

 

Ah great, nothing to fix!

@Spiral - Thanks for that information.

 

Back to this...

This site has a rss feed (xml file) that keeps causing a 406 error. I added a catch page for this error and the details are forwarded to me. There is never a user-agent associated with the requests on this file (well once it was iTMS). So I can't really tell what the user is trying to view the feed with...

I can't replicate the situation, actually seeing this error 406 page, so I can't see if these viewers are atcually seeing the feed or podcasts.

I don't want to turn the filter off, but is there a way to set the filter to allow requests on .xml files (when "Request Missing an Accept Header") in the .htaccess file?

Thanks!

 

Thanks Spiral,

I have tried using SecFilterEngine Off in the in the .htaccess file, but this seems to have no affect (doesn't seem to turn the filter off).

Is there another way?