[BULK] Re: [Modsecurity] Specific False Positive using SugarCRM

Steve Cox Steve.Cox at mergermarket.com
Tue May 2 09:47:49 EDT 2006 

Thanks,

The thing is I would like to keep that rule in place, just ignore it if
submitted from that particular URL. The reason why is that I'm guessing
that there will be a large number of local false positives with such CRM
posts. If I can get these ignored for the posting URL specifically,
it'll be much better than dropping a lot of the spam protection from the
whole server.

Much appreciated.



> -----Original Message-----
> From: modsecurity-bounces at gotroot.com [mailto:modsecurity-
> bounces at gotroot.com] On Behalf Of Daniel Segall
> Sent: 02 May 2006 14:33
> To: modsecurity at gotroot.com
> Subject: [BULK] Re: [Modsecurity] Specific False Positive using
SugarCRM
> Importance: Low
> 
> 
> I'm sorry, I just reread that... I see what you are saying.
> 
> The rule that is being triggered is what I pasted. I usually just grep
a
> piece of it in /etc/modsecurity, then vim that file and find/comment
out
> the rule like:
> grep meridia /etc/modsecurity/*
> /etc/modsecurity/blacklist.conf:SecFilterSelective HTTP_Referer|ARGS
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylpropion|viagra|lisinopril|vig-
> ?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}"
> 
> -Dan
> 
> 
> On 5/2/2006, "Daniel Segall" <dan at half-asleep.com> wrote:
> 
> >
> >The log that you copied is a valid trigger for drug spam. This has
> >nothing to do with the CRM itself.
> >
> >>mod_security-message: Access denied with code 500. Pattern match
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylprop
>
>>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w
\-
> _.]*\.[a-z]{2,}" at POST_PAYLOAD
> >
> >-Dan
> >
> >
> >On 5/2/2006, "Steve Cox" <Steve.Cox at mergermarket.com> wrote:
> >
> >>Hi,
> >>
> >>I'm getting a specific false positive using the mod_security rules -
> when running the SugarCRM system on Apache2.
> >>
> >>The false positive looks something specific here so I'm looking to
> create a local exception of the format:
> >>
> >><LocationMatch "/sugarcrm/index.php">
> >>   SecFilterRemove xxxxxx
> >></LocationMatch>
> >>
> >>But I don't know how to ascertain the rule number for the
> SecFilterRemove line.
> >>
> >>The reason for the false positive firing is that a user was entering
CRm
> details on an account called something like: 'Meridian Inc'.
> >>
> >>The mod_security blacklist rule picked up Meridian as Meridia and
> blocked it.
> >>
> >>The audit_log entry is:
> >>
> >>###################################################################
> >>
> >>
> >>Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST
> /sugarcrm/index.php HTTP/1.1" 500 342
> >>Handler: (null)
> >>----------------------------------------
> >>POST /sugarcrm/index.php HTTP/1.1
> >>Host: crm.mergermarket.com
> >>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.8.0.2)
> Gecko/20060308 Firefox/1.5.0.2
> >>Accept:
>
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;
> q=0.8,image/png,*/*;q=0.5
> >>Accept-Language: en-gb,en;q=0.5
> >>Accept-Encoding: gzip,deflate
> >>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> >>Keep-Alive: 300
> >>Connection: keep-alive
> >>Referer: https://crm.mergermarket.com/sugarcrm/index.php
> >>Cookie: Meetings_divs=contacts_v%3Dinline%23;
ck_login_id_20=xxxxxxxx-
> xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite;
> Calls_divs=users_v%3Dinline%2
> >>3contacts_v%3Dinline%23; ck_login_language_20=en_us;
> Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true;
ck_lastview=true;
> showLeftCol=true; ck_record=true
> >>; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
> >>Content-Type: application/x-www-form-urlencoded
> >>Content-Length: 992
> >>mod_security-message: Access denied with code 500. Pattern match
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylprop
>
>>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w
\-
> _.]*\.[a-z]{2,}" at POST_PAYLOAD
> >>mod_security-action: 500
> >>
> >>992
> >>module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-
> xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id=
> xxxxxxxx-xxxxxxx-xxxxx-
>
xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phon
e_
>
officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_
fa
> x=&pare
> >>nt_name=&parent_id=&email1=&industry=&etcetcetc
> >>
> >>HTTP/1.1 500 Internal Server Error
> >>Vary: Accept-Encoding
> >>Content-Encoding: gzip
> >>Content-Length: 342
> >>Connection: close
> >>Content-Type: text/html; charset=iso-8859-1
> >>
> >>###########################################################
> >>
> >>
> >>Can someone point me in the way to determine the rule number so I
can
> exclude this from the installation?
> >>
> >>Thanks,
> >>--
> >>
> >>Steve
> >>
> >>
> >>_______________________________________________
> >>Modsecurity mailing list
> >>Modsecurity at gotroot.com
> >>http://lists.gotroot.com/mailman/listinfo/modsecurity
> >>
> >_______________________________________________
> >Modsecurity mailing list
> >Modsecurity at gotroot.com
> >http://lists.gotroot.com/mailman/listinfo/modsecurity
> >
> 
> -Dan
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity

More information about the Modsecurity mailing list