Segfault request:

error_log:
[Wed Feb 12 10:28:30 2014] [notice] child pid 23102 exit signal Segmentation fault (11)

audit_log:
--ca2ca03c-A--
[12/Feb/2014:10:28:29 +0000] UvtMzAoFLh4AAFo@BrMAAAAG 10.5.21.207 44990 10.5.46.31 443
--ca2ca03c-B--
POST /app/%20/init HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 587
Authorization: Basic V2ViYXBwOnF3ZXJ0xxxxxx==
User-Agent: Jakarta Commons-HttpClient/3.1
Host: payments.internal
Cookie: $Version=0; JSESSIONID=721CCB90694383A98CE0A81CC1708893; $Path=/app


request and response extracted from pcap:

POST /app/%20/init HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 587
Authorization: Basic XXXXXXXXXXX==
User-Agent: Jakarta Commons-HttpClient/3.1
Host: payments.internal
Cookie: $Version=0; JSESSIONID=721CCB90694383A98CE0A81CC1708893; $Path=/app

{"channel":"TEST","currency":"GBP","title":"Ms","firstName":"myFirstName","lastName":"myLastName","postcode":"N11 1GF","email":"test1392200959682@testing.com","address1":"1 street","address2":"London ","address3":null,"cardNumber":"111111111111111","isSavedCard":false,"isPreOrder":false,"cardType":null,"coinAmount":22000,"address4":null, "billingCountry":"GB","cardExpiryMonth":"03","cardExpiryYear":"16","cardIssueNumber":"1","cardCVSNumber":"3434","distributionCentre":"DC1","paymentMethod":"CREDITCARD","merchantUrl":"http://www.test.com"}

HTTP/1.1 200 OK
Date: Wed, 12 Feb 2014 10:28:29 GMT
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Via: 1.1 payments.internal
Connection: close
Transfer-Encoding: chunked

a3
{"pareq":null,"acsUrl":null,"provider":"payments","extraReason":null,"reference":20064024,"returnCodeReason":"3DSecure is not supported","returnCodeResult":8}
0

------------------------

Succesful Request:


--3e626e6b-A--
[12/Feb/2014:10:28:19 +0000] UvtMwwoFLh4AAFo@BrAAAAAD 10.5.21.207 53914 10.5.46.31 443
--3e626e6b-B--
POST /app/%20/init HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 582
Authorization: Basic XXXXXXXXXXX==
User-Agent: Jakarta Commons-HttpClient/3.1
Host: payments.internal
Cookie: $Version=0; JSESSIONID=DA37FA116A0EEAF11C7C2F9C3169DF30; $Path=/app

--3e626e6b-C--
{"channel":"TEST","currency":"USD","title":"Ms","firstName":"myFirstName","lastName":"myLastName","postcode":"123456","email":"test1392200968248@testing.com","address1":"Address 1 content","address2":"Address 2 content","address3":null,"cardNumber":"1000000000000001","isSavedCard":false,"isPreOrder":false,"cardType":null,"coinAmount":101250, "address4":null,"billingCountry":"AR","cardExpiryMonth":"03","cardExpiryYear":"16","cardIssueNumber":"1","cardCVSNumber":"123","distributionCentre":"DC2","paymentMethod":"CREDITCARD","merchantUrl":"http://www.test.com"}
--3e626e6b-F--
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Via: 1.1 payments.internal
Connection: close
Transfer-Encoding: chunked

--3e626e6b-E--

--3e626e6b-H--
Message: Warning. Pattern match "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by ..." at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2"] [msg "Rogue web site crawler"] [data "Jakarta"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. Match of "beginsWith %{request_headers.host}" against "TX:1" required. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: http://www.test.com found within TX:1: www.netaporter.com"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/RFI"]
Message: Warning. Pattern match "(.*)" at TX:990012-OWASP_CRS/AUTOMATION/MALICIOUS-REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=0, XSS=0): Last Matched Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Last Matched Data: Jakarta Commons-HttpClient/3.1"]
Message: Warning. Pattern match "(.*)" at TX:950120-OWASP_CRS/WEB_ATTACK/RFI-TX:1. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=0, XSS=0): Last Matched Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Last Matched Data: www.test.com"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=0, XSS=0): Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"]
Apache-Handler: proxy-server
Stopwatch: 1392200899114926 208719 (- - -)
Stopwatch2: 1392200899114926 208719; combined=52677, p1=26226, p2=26239, p3=7, p4=121, p5=83, sr=25902, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache
Engine-Mode: "DETECTION_ONLY"