Re: ModSecurity 2.0, A Core Rule Set and Console available

That is definitely a good news.

I have just setup Mod Security 2.0 on Apache 2.0.5 as a reverse proxy 
for all my internal web servers.

So far it has been working well with the core rule set. I am slowly 
migrating bigger sites behind the reverse proxy and monitor the performance.

Cheers,
Edy

David Roman Esteban wrote:
> Ofer Shezaf escribió:
>   
>>   
>> We still haven't decided, I guess it depends on how many people need it. Do
>> you plan to move to Apache 2.x? 
>>
>>   
>>     
> If cpanel and the other web-hosting control panel move to apache 2.X.... 
> otherwise some of us are tied to 1.3 branch
>   
>>>     
>>>       
>>>> security engine, but it requires rules to actually provide protection.
>>>>       
>>>>         
>>> The
>>>     

Request Missing an Accept Header

Good Day,

ModSecurity for Apache 2.0.3 configured - Apache/2.0.52 (Reverse Proxy mode)

I am getting the following false positive

--659c8e00-A--
[01/Jan/2007:22:36:09 +0800] iNdC-X8AAAEAABivBzUAAAAD 220.255.82.33 
10898 10.10.10.21 80
--659c8e00-B--
POST /forums/twuadmincp/options.php?do=dooptions HTTP/1.1
Host: www.bigboyfish.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) 
Gecko/20040804 Netscape/7.2 (ax)
Accept: 
application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: 
http://www.bigboyfish.com/forums/twuadmincp/options.php?do=options&dogroup=%5Ball%5D
Cookie: bblastactivity=0; bblastvisit=1167649725; 
bbsessionhash=5eafadae3c213bcad5b5ec9d91753702; 
bbcpsession=6a31bcb1e21e0c53b241e94187a81ee9; bbuserid=1; 
bbpassword=7ef119d7eb092bffd4f4777c81ccfda5; 
bbforum_view=62f6e2562865716394e93faf2db94b56a-1-%7Bi-193_i-1167662004_%7D
Content-Type: application/x-www-form-urlencoded
Content-Length: 11170

Meta Characters

Good Day,

I would like to know how do you guys deal with Meta Characters, example "%"

User posted a message on a forum with a bunch of %20 %5 %21

Of course that triggers an alarm/block the provided CORE rule set

Access denied with code 500 (phase 2). Pattern match 
"(?:[\\+\\@\\%#\"\\']|\\|\\||\\-\\-)" at ARGS:email. [id "50905"] [msg 
"SQL Injection Attack"] [severity "WARNING"]
Action: Intercepted (phase 2)

How do you guys relax this false positive?

Cheers,
Edy

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: Meta Characters

The short answer is that this rule was removed in the latest version of the core rule set (1.2) and I recommend upgrading.

A longer one will wait till I write on a computer and not a blackberry.

~ Ofer

-----Original Message-----
From: mod-security-users-bounces <at> lists.sourceforge.net
To: mod-security-users <at> lists.sourceforge.net
Sent: Mon Jan 01 13:15:48 2007
Subject: [mod-security-users] Meta Characters

Good Day,

I would like to know how do you guys deal with Meta Characters, example "%"

User posted a message on a forum with a bunch of %20 %5 %21

Of course that triggers an alarm/block the provided CORE rule set

Access denied with code 500 (phase 2). Pattern match 
"(?:[\\+\\@\\%#\"\\']|\\|\\||\\-\\-)" at ARGS:email. [id "50905"] [msg 
"SQL Injection Attack"] [severity "WARNING"]
Action: Intercepted (phase 2)

How do you guys relax this false positive?

Cheers,
Edy

Re: Request Missing an Accept Header

Indeed strange. I will look into it.

~ Ofer

-----Original Message-----
From: mod-security-users-bounces <at> lists.sourceforge.net
To: mod-security-users <at> lists.sourceforge.net
Sent: Mon Jan 01 10:07:37 2007
Subject: [mod-security-users] Request Missing an Accept Header

Good Day,

ModSecurity for Apache 2.0.3 configured - Apache/2.0.52 (Reverse Proxy mode)

I am getting the following false positive

--659c8e00-A--
[01/Jan/2007:22:36:09 +0800] iNdC-X8AAAEAABivBzUAAAAD 220.255.82.33 
10898 10.10.10.21 80
--659c8e00-B--
POST /forums/twuadmincp/options.php?do=dooptions HTTP/1.1
Host: www.bigboyfish.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) 
Gecko/20040804 Netscape/7.2 (ax)
Accept: 
application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

A bunch of doubts (new user)

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: Meta Characters

Hi Ofer,

Happy new year and thank you for your prompt response.

I have just tested the new CORE rule and it trigger XSS Regex (false 
positive)

--0d7f1210-A--
[02/Jan/2007:13:31:17 +0800] CgadCX8AAAEAACFEKccAAAAe 203.117.33.23 8545 
10.10.10.21 80
--0d7f1210-B--
POST /forums/newreply.php?do=postreply&t=268913 HTTP/1.1
Host: www.freshwater.com
Connection: keep-alive
Cookie: btime=19219; bblastvisit=1165713210; bblastactivity=0; 
bbuserid=19219; bbpassword=61d6f84da582581bccb204e03596c417; 
bbsessionhash=a91927159480beb3a6c408f3b230a76e;

bbthread_lastview=1a112a854f1ae30228df8319cc6db6dfa-25-%7Bi-268965_i-1167713045_i-268913_i-1167715870_i-263436_i-1167675407_i-268985_i-1167702250_i-268964_i-1167701276_i-268744_i-1167702020_i-268789_i-1167702213_i-268959_i-1167703133_i-266048_i-1167703528_i-268976_i-1167702344_i-268890_i-1167703642_i-268994_i-1167703480_i-268997_i-1167703951_i-269001_i-1167704960_i-269010_i-1167709080_i-269016_i-1167711501_i-268815_i-1167713992_i-269018_i-1167713070_i-268862_i-1167713404_i-269023_i-1167715477_i-269024_i-1167714769_i-269026_i-1167715811_i-268790_i-1167713817_i-269028_i-1167714942_i-268882_i-1167715517_%7D; 
bbforum_view=a784c00daf6818b3795904c2595a4dcfa-1-%7Bi-33_i-1167701054_%7D; 
voted=no
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-powerpoint, 
application/vnd.ms-excel, application/msword, */*
Referer: http://www.freshwater.com/forums/newreply.php?do=newreply&p=4878782
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 
2.0.50727)
Content-Length: 840
Pragma: no-cache
X-Forwarded-For: 203.116.221.4
Via: 1.0 sbproxy1 (NetCache NetApp/5.5R6)

--0d7f1210-C--
title=&message=%3CP%3E%5Bquote%3Ddesmondpeh%3B4878782%5DNGT+must+get+smaller+than+the+rest+as+its+more+aggressive+than+NTT+and+IT.+ST+still+a+little+chance+to+fend+off.+%3CIMG+class%3Dinlineimg+title%3DSmilie+alt%3D%22%22+src%3D%22images%2Fsmilies%2Fsmile.gif%22+border%3D0+smilieid%3D%221%22%3E%5B%2Fquote%5D%3C%2FP%3E%0D%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0D%0A%3CP%3Eyup%2C+my+NGT+is+a+lil+fella+but+realli+aggressive...%3CIMG+alt%3D0+src%3D%22http%3A%2F%2Fwww.freshwater.com%2Fforums%2Fimages%2Fsmilies%2Ftongue.gif%22+border%3D0+smilieid%3D%226%22%3E%26nbsp%3B+but+stable+down+liao%2C+so+quite+cute+oso...%3C%2FP%3E&wysiwyg=1&iconid=0&s=&do=postreply&t=268913&p=4878782&posthash=85625712871192492456c0645cb6b0b9&poststarttime=1167715882&loggedinuser=19219&multiquoteempty=&sbutton=Submit+Reply&signature=1&parseurl=1&emailupdate=0&rating=0
--0d7f1210-F--
HTTP/1.1 301 Moved Permanently
X-Powered-By: PHP/4.4.0
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Location: 
http://www.freshwater.com/forums/showthread.php?p=4878801&posted=1#post4878801
Content-Length: 0
Content-Type: text/html; charset=ISO-8859-1
Via: 1.1 www.freshwater.com

--0d7f1210-H--
Message: Warning. Pattern match

"(?:\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\b\\W*?=|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)script|shell)|mocha):|type\\b\\W*?\\b(?:text\\b(?:\\W*?\\b(?:j(?:ava)?|ecma)script\\b|

[vbscript])|application\\b\\W*?\\bx-(?:java|vb)script\\b)|s(?:(?:tyle\\b\\W*=.*\\bexpression\\b\\W*|ettimeout\\b\\W*?)\\(|rc\\b\\W*?\\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-image:|@import)\\b|a(?:ctivexobject\\b|lert\\b\\W*?\\())|<(?:(?:body\\b.*?\\b(?:backgroun|onloa)d|input\\b.*?\\btype\\b\\W*?\\bimage)\\b|!\\[CDATA\\[|script|meta)|.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)\\b)" 
at ARGS:message. [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] 
[severity "CRITICAL"]
Apache-Handler: proxy-server
Stopwatch: 1167715876642057 358359 (1224* 20218 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.52 (CentOS)

--0d7f1210-Z--

Thanks,
Edy

Ofer Shezaf wrote:
> The short answer is that this rule was removed in the latest version of the core rule set (1.2) and I
recommend upgrading.
>
> A longer one will wait till I write on a computer and not a blackberry.
>
> ~ Ofer
>
>
> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net
> To: mod-security-users <at> lists.sourceforge.net
> Sent: Mon Jan 01 13:15:48 2007
> Subject: [mod-security-users] Meta Characters
>
> Good Day,
>
> I would like to know how do you guys deal with Meta Characters, example "%"
>
> User posted a message on a forum with a bunch of %20 %5 %21
>
> Of course that triggers an alarm/block the provided CORE rule set
>
> Access denied with code 500 (phase 2). Pattern match 
> "(?:[\\+\\@\\%#\"\\']|\\|\\||\\-\\-)" at ARGS:email. [id "50905"] [msg 
> "SQL Injection Attack"] [severity "WARNING"]
> Action: Intercepted (phase 2)
>
> How do you guys relax this false positive?
>
> Cheers,
> Edy
>
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>   

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

PHP source code leakage and ASP/JSP source code leakage

Hi,

Any idea on the following false positives?

Thanks,
Edy

--74320a29-A--
[02/Jan/2007:13:00:36 +0800] nE8dMH8AAAEAACAPNL4AAAAm 121.6.43.88 1138 
10.10.10.21 80
--74320a29-B--
GET /forums/index.php HTTP/1.1
Accept: */*
Referer: http://www.freshwater.com/forums/forumdisplay.php?f=10
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 
FunWebProducts-MyWay; .NET CLR 1.1.4322)
Host: www.freshwater.com
Connection: Keep-Alive
Cookie: btime=11521; vbcodemode=1; bblastvisit=1162199969; 
bblastactivity=0; bbuserid=11521; 
bbpassword=de3b9990c699167e19d80a3c511e5a12; bblastvisit=1139361597; 
bblastactivity=1139638200; bbuserid=11521; 
bbpassword=de3b9990c699167e19d80a3c511e5a12; bbstyleid=5; 
bbsessionhash=420418c73e81eabe3ed420848fb89b64; 
bbthread_lastview=d292388f013bcfbebf17c267e380dea1a-11-%7Bi-267821_i-1167712013_i-268985_i-1167711985_i-268994_i-1167710660_i-268592_i-1167713225_i-269006_i-1167707884_i-265325_i-1167707003_i-266048_i-1167711167_i-268444_i-1167711879_i-268790_i-1167713817_i-269024_i-1167713939_i-268958_i-1167714025_%7D

--74320a29-F--
HTTP/1.1 200 OK
Allow: TRACE
Connection: close
Content-Type: text/html; charset=iso-8859-1

--74320a29-H--
Message: Access denied with code 501 (phase 4). Match of "rx

\\b(?:(?:i(?:nterplay|hdr|d3)|(?:(?:ex|jf)i|%pd)f|m(?:ovi|thd)|r(?:ar!|iff)|f(?:lv|ws)|varg|.ra|cws)\\b|gif)" 
against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code 
leakage"] [severity "WARNING"]
Action: Intercepted (phase 4)
Apache-Handler: proxy-server
Stopwatch: 1167714035899696 337094 (770 5918 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.52 (CentOS)

--74320a29-Z--

--b199ee5c-A--
[02/Jan/2007:13:10:55 +0800] wT1Oin8AAAEAACCpBjgAAAAG 220.255.38.109 
1401 10.10.10.21 80
--b199ee5c-B--
GET /forums/showthread.php?t=268941&page=6 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/msword, application/x-shockwave-flash, */*
Referer: http://www.freshwater.com/forums/showthread.php?t=268941&page=8
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322)
Host: www.freshwater.com
Connection: Keep-Alive
Cookie: btime=3466; vbulletin_collapse=; voted=no; 
bbsessionhash=1d1be9018787abeee603ff0fbe329427; bblastvisit=1167711671; 
bblastactivity=0; bbuserid=3466; 
bbpassword=f1806205027607bad8caa4d448de29e8; 
bbthread_lastview=2898529ad269c5366d410be3dbc36359a-4-%7Bi-268941_i-1167714676_i-268972_i-1167705122_i-264894_i-1167714314_i-268888_i-1167649752_%7D

--b199ee5c-F--
HTTP/1.1 200 OK
Allow: TRACE
Connection: close
Content-Type: text/html; charset=iso-8859-1

--b199ee5c-H--
Message: Access denied with code 501 (phase 4). Match of "rx

\\b(?:(?:i(?:nterplay|hdr|d3)|(?:(?:ex|jf)i|%pd)f|m(?:ovi|thd)|r(?:ar!|iff)|f(?:lv|ws)|varg|.ra|cws)\\b|gif)" 
against "RESPONSE_BODY" required. [id "970903"] [msg "ASP/JSP source 
code leakage"] [severity "WARNING"]
Action: Intercepted (phase 4)
Apache-Handler: proxy-server
Stopwatch: 1167714655489674 267096 (812 6442 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.52 (CentOS)

--b199ee5c-Z--

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

The regular expression does not match the test subject - "PHP Injection Attack"

Hi,

Since this request was flagged down by ModSec, I took the Regex and 
compare with the subject but it did not the match regex. So why the user 
request is flagged?

Regex: 
(?:(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\\$_(?:(?:pos|ge)t|session))\\b|<\\?)

Data: 
subject=Clearing+5ft+%26+4ft+Tanks&message=%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EClearing+the+following+5ft+cabinet+tank+%26amp%3B+4ft+bare+tank+with+WI+stand%3A%3C%3Fxml%3Anamespace+prefix+%3D+o+ns+%3D+%22urn%3Aschemas-microsoft-com%3Aoffice%3Aoffice%22+%2F%3E%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3Co%3Ap%3E%3CFONT+face%3DArial+size%3D3%3E%26nbsp%3B%3C%2FFONT%3E%3C%2Fo%3Ap%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E%3CU%3ETank+Set+A+and+Tank+Set+B%3C%2FU%3E%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E5+x+2%BD+x+2%BD+12mm+cabinet+tank%3
 Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+st
 yle%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EChenggai+wood+structure%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E4+x+1%BD+x+1%BD+sump+tank%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3pc+glass+covers%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3+sides+blue+%26amp%3B+bottom+black+oyama%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3ENo+filter%2Fair+pump%2C+media+%26amp
 %3B+light%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DM
 soNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EUsed+for+2yr%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EBuyer+to+provide+delivery%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EPrice+%24650+each+set%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3Co%3Ap%3E%3CFONT+face%3DArial+size%3D3%3E%26nbsp%3B%3C%2FFONT%3E%3C%2Fo%3Ap%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E%3CU%3ETank+Set+C+and+Tank+Set+D%3C%2FU%3E%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2
 FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFO
 NT+size%3D3%3E%3CFONT+face%3DArial%3E4+x+2%BD+x+2+12mm+bare+tank+with+central+and+all+round+euro-bracing%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E52%BD+x+30+x+44%94+WI+stand+%282%94+frame%29%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3pc+glass+covers%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3+sides+%26amp%3B+bottom+blue+oyama%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3ENo+filter%2Fair+pump
 %2C+media+%26amp%3B+light%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%
 0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EUsed+for+8mth%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EBuyer+to+provide+delivery%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EPrice+%24330+each+set%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3Co%3Ap%3E%3CFONT+face%3DArial+size%3D3%3E%26nbsp%3B%3C%2FFONT%3E%3C%2Fo%3Ap%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E%3CU%3ETank+Set+E%3C%2FU%3E%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C
 %2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3C
 FONT+size%3D3%3E%3CFONT+face%3DArial%3ETop+tank+%96+4+x+2+x+2+10mm+bare+tank+with+central+and+all+round+euro-bracing%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EBottom+tank+%96+4+x+2+x+1%BD+10mm+bare+tank+with+central+and+all+round+euro-bracing%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E51%BD+x+24+x+41%94+WI+stand+%281%BD%94+frame%29%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3pc+glass+covers+for+both+tanks%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0
 cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3+sides+%26amp%3B+bottom+black+o
 yama%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3ENo+filter%2Fair+pump%2C+media+%26amp%3B+light%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EUsed+for+15mth%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EBuyer+to+provide+delivery%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EPrice+%24150%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+
 0pt%22%3E%3Co%3Ap%3E%3CFONT+face%3DArial+size%3D3%3E%26nbsp%3B%3C%2FFONT%3E%3C%2Fo%3Ap%3E%
 3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EPlease+PM+or+call%2FSMS+me+at+9686+4259+to+deal.%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EViewing%2Fcollection+at+Sembawang+Drive.%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EThank+you.%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP%3E%3C%2FP%3E&wysiwyg=1&iconid=0&s=&f=10&do=postthread&posthash=b49bb166f2b0cb4c764078e13388ee62&poststarttime=1167718251&loggedinuser=8805&sbutton=Submit+New+Thread&parseurl=1&emailupdate=1&polloptions=4

I am using Regex Buddy for the comparison

Thanks,
Edy

--6f86177d-A--
[02/Jan/2007:14:10:46 +0800] lynqu38AAAEAACOgEV8AAAAT 220.255.220.112 
2474 10.10.10.21 80
--6f86177d-B--
POST /forums/newthread.php?do=postthread&f=10 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/msword, application/x-shockwave-flash, */*
Referer: http://www.freshwater.com/forums/newthread.php?do=newthread&f=10
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.freshwater.com
Content-Length: 7755
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: btime=8805; vbulletin_collapse=forumbit_5%0Ausercp_reputation; 
bblastvisit=1167131696; bblastactivity=0; bbuserid=8805; 
bbpassword=00287a2af09c209dcffdc86999a74482; voted=no; 
bbsessionhash=f5e59842fa5ed9a05491309c9a811603

--6f86177d-C--
subject=Clearing+5ft+%26+4ft+Tanks&message=%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EClearing+the+following+5ft+cabinet+tank+%26amp%3B+4ft+bare+tank+with+WI+stand%3A%3C%3Fxml%3Anamespace+prefix+%3D+o+ns+%3D+%22urn%3Aschemas-microsoft-com%3Aoffice%3Aoffice%22+%2F%3E%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3Co%3Ap%3E%3CFONT+face%3DArial+size%3D3%3E%26nbsp%3B%3C%2FFONT%3E%3C%2Fo%3Ap%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E%3CU%3ETank+Set+A+and+Tank+Set+B%3C%2FU%3E%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E5+x+2%BD+x+2%BD+12mm+cabinet+tank%3
 Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+st
 yle%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EChenggai+wood+structure%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E4+x+1%BD+x+1%BD+sump+tank%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3pc+glass+covers%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3+sides+blue+%26amp%3B+bottom+black+oyama%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3ENo+filter%2Fair+pump%2C+media+%26amp
 %3B+light%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DM
 soNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EUsed+for+2yr%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EBuyer+to+provide+delivery%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EPrice+%24650+each+set%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3Co%3Ap%3E%3CFONT+face%3DArial+size%3D3%3E%26nbsp%3B%3C%2FFONT%3E%3C%2Fo%3Ap%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E%3CU%3ETank+Set+C+and+Tank+Set+D%3C%2FU%3E%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2
 FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFO
 NT+size%3D3%3E%3CFONT+face%3DArial%3E4+x+2%BD+x+2+12mm+bare+tank+with+central+and+all+round+euro-bracing%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E52%BD+x+30+x+44%94+WI+stand+%282%94+frame%29%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3pc+glass+covers%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3+sides+%26amp%3B+bottom+blue+oyama%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3ENo+filter%2Fair+pump
 %2C+media+%26amp%3B+light%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%
 0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EUsed+for+8mth%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EBuyer+to+provide+delivery%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EPrice+%24330+each+set%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3Co%3Ap%3E%3CFONT+face%3DArial+size%3D3%3E%26nbsp%3B%3C%2FFONT%3E%3C%2Fo%3Ap%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E%3CU%3ETank+Set+E%3C%2FU%3E%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C
 %2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3C
 FONT+size%3D3%3E%3CFONT+face%3DArial%3ETop+tank+%96+4+x+2+x+2+10mm+bare+tank+with+central+and+all+round+euro-bracing%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EBottom+tank+%96+4+x+2+x+1%BD+10mm+bare+tank+with+central+and+all+round+euro-bracing%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E51%BD+x+24+x+41%94+WI+stand+%281%BD%94+frame%29%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3pc+glass+covers+for+both+tanks%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0
 cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3E3+sides+%26amp%3B+bottom+black+o
 yama%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3ENo+filter%2Fair+pump%2C+media+%26amp%3B+light%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EUsed+for+15mth%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EBuyer+to+provide+delivery%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EPrice+%24150%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+
 0pt%22%3E%3Co%3Ap%3E%3CFONT+face%3DArial+size%3D3%3E%26nbsp%3B%3C%2FFONT%3E%3C%2Fo%3Ap%3E%
 3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EPlease+PM+or+call%2FSMS+me+at+9686+4259+to+deal.%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EViewing%2Fcollection+at+Sembawang+Drive.%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP+class%3DMsoNormal+style%3D%22MARGIN%3A+0cm+0cm+0pt%22%3E%3CFONT+size%3D3%3E%3CFONT+face%3DArial%3EThank+you.%3Co%3Ap%3E%3C%2Fo%3Ap%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0D%0A%3CP%3E%3C%2FP%3E&wysiwyg=1&iconid=0&s=&f=10&do=postthread&posthash=b49bb166f2b0cb4c764078e13388ee62&poststarttime=1167718251&loggedinuser=8805&sbutton=Submit+New+Thread&parseurl=1&emailupdate=1&polloptions=4
--6f86177d-F--
HTTP/1.1 501 Method Not Implemented
Allow: TRACE
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

--6f86177d-H--
Message: Access denied with code 501 (phase 2). Pattern match

"(?:(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\\$_(?:(?:pos|ge)t|session))\\b|<\\?)" 
at ARGS:message. [id "950013"] [msg "PHP Injection Attack"] [severity 
"CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1167718244543163 2009942 (1973917* 2009572 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.52 (CentOS)

--6f86177d-Z--

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

freedback on gotroot and modsec core rule

Hi Everyone,

I would like to know your experiences with these two rule sets.

I am interested to find out which provide decent "out of the box" 
security with minimal false positives.

Thanks,
Edy

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV