What is this mod_security rule trying to prevent?

Question

Today my IP was blocked by my server. I was told it was because of a mod_security rule that got triggered. I'm told that the regex that got triggered was

^((?:(?:POS|GE)T|OPTIONS|HEAD))

I don't know much about mod_security and was told

If the regex ^((?:(?:POS|GE)T|OPTIONS|HEAD)) is found on any of the scripts on your account, mod_security will trigger and block access from that IP to the server.

What exactly is this regular expression in mod_security looking to prevent?

I have run many of the files that I have uploaded to the server through this regex and didn't get any matches yet. I would like to know what this trying to accomplish so I can figure out, maybe, what caused the blocking and prevent it in the future.

By the way, people who write regexes like `(?:POS|GE)T` instead of `^(POST|GET|OPTIONS|HEAD)` are being too clever at the expense of readability. — Dennis Williamson, Feb 14 '11 at 14:21

score 4 · Accepted Answer · answered Feb 14 '11 at 13:12

4

It refuses requests that are not using one of the accepted methods HEAD, GET, POST or OPTIONS. If you say, tried a WebDAV DELETE statement or something, it would then block that.

answered Feb 14 '11 at 13:12

Øyvind Selbek

56
1

What is this mod_security rule trying to prevent?

1 Answers1