mod_security and false positive?

upsforum

• November 27, 2013 04:22

I have this rule that block any ip of my customer, but is a false positive? I don't understand what do it Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "38"> [id "960032"> [msg "Method is not allowed by policy"> [severity "CRITICAL"> [tag "POLICY/METHOD_NOT_ALLOWED">

• 

  upsforum

  • November 27, 2013 09:36

  These are actions that trig this rule of modsec: 37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-" 37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-" PROPFIND is for webdav service? is normally that modsec block these requests?

  0

Please sign in to leave a comment.