[BULK] Re: [Modsecurity] Specific False Positive using SugarCRM

Steve Cox Steve.Cox at mergermarket.com
Tue May 2 09:43:55 EDT 2006 

Yes - I know - but the trigger was caused by a CRM user editing and
submitting a form for a customer called Meridian (picked up by the
meridian filter).

Now, with any such system, it could be triggered by just including a
spam sequence string in the form. So it is not a false positive in
general, but if for this installation instance.

I cut/obscurificated some of the URL from the log - not ideal in such a
report, but necessary I'm afraid as it includes personal contact
details, phone numbers for a customer. But the URL is a post into the
CRM system with the appropriate details that have been entered by a user
locally.

That was why I was asking on the best way to identify the rule's id so I
can exclude it locally in this installation.

Thanks,

Steve

> -----Original Message-----
> From: modsecurity-bounces at gotroot.com [mailto:modsecurity-
> bounces at gotroot.com] On Behalf Of Daniel Segall
> Sent: 02 May 2006 14:27
> To: modsecurity at gotroot.com
> Subject: [BULK] Re: [Modsecurity] Specific False Positive using
SugarCRM
> Importance: Low
> 
> 
> The log that you copied is a valid trigger for drug spam. This has
> nothing to do with the CRM itself.
> 
> >mod_security-message: Access denied with code 500. Pattern match
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylprop
>
>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\
-
> _.]*\.[a-z]{2,}" at POST_PAYLOAD
> 
> -Dan
> 
> 
> On 5/2/2006, "Steve Cox" <Steve.Cox at mergermarket.com> wrote:
> 
> >Hi,
> >
> >I'm getting a specific false positive using the mod_security rules -
when
> running the SugarCRM system on Apache2.
> >
> >The false positive looks something specific here so I'm looking to
create
> a local exception of the format:
> >
> ><LocationMatch "/sugarcrm/index.php">
> >   SecFilterRemove xxxxxx
> ></LocationMatch>
> >
> >But I don't know how to ascertain the rule number for the
SecFilterRemove
> line.
> >
> >The reason for the false positive firing is that a user was entering
CRm
> details on an account called something like: 'Meridian Inc'.
> >
> >The mod_security blacklist rule picked up Meridian as Meridia and
blocked
> it.
> >
> >The audit_log entry is:
> >
> >###################################################################
> >
> >
> >Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST
> /sugarcrm/index.php HTTP/1.1" 500 342
> >Handler: (null)
> >----------------------------------------
> >POST /sugarcrm/index.php HTTP/1.1
> >Host: crm.mergermarket.com
> >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.8.0.2)
> Gecko/20060308 Firefox/1.5.0.2
> >Accept:
>
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;
> q=0.8,image/png,*/*;q=0.5
> >Accept-Language: en-gb,en;q=0.5
> >Accept-Encoding: gzip,deflate
> >Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> >Keep-Alive: 300
> >Connection: keep-alive
> >Referer: https://crm.mergermarket.com/sugarcrm/index.php
> >Cookie: Meetings_divs=contacts_v%3Dinline%23;
ck_login_id_20=xxxxxxxx-
> xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite;
> Calls_divs=users_v%3Dinline%2
> >3contacts_v%3Dinline%23; ck_login_language_20=en_us;
> Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true;
ck_lastview=true;
> showLeftCol=true; ck_record=true
> >; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
> >Content-Type: application/x-www-form-urlencoded
> >Content-Length: 992
> >mod_security-message: Access denied with code 500. Pattern match
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylprop
>
>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\
-
> _.]*\.[a-z]{2,}" at POST_PAYLOAD
> >mod_security-action: 500
> >
> >992
> >module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-
> xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id=
> xxxxxxxx-xxxxxxx-xxxxx-
>
xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phon
e_
>
officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_
fa
> x=&pare
> >nt_name=&parent_id=&email1=&industry=&etcetcetc
> >
> >HTTP/1.1 500 Internal Server Error
> >Vary: Accept-Encoding
> >Content-Encoding: gzip
> >Content-Length: 342
> >Connection: close
> >Content-Type: text/html; charset=iso-8859-1
> >
> >###########################################################
> >
> >
> >Can someone point me in the way to determine the rule number so I can
> exclude this from the installation?
> >
> >Thanks,
> >--
> >
> >Steve
> >
> >
> >_______________________________________________
> >Modsecurity mailing list
> >Modsecurity at gotroot.com
> >http://lists.gotroot.com/mailman/listinfo/modsecurity
> >
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity

More information about the Modsecurity mailing list