[Modsecurity] Help with falase positive please
Who Knows
quien-sabe at metaorg.com
Sun May 7 16:29:28 EDT 2006
Who Knows wrote:
> Who Knows wrote:
>> I attempted to reply to a PNphpBB@ forum message with the following
>> contents:
>> "the word from working in quick reply does it work here too?"
>> The audit record and rule are shown below.
>> It is easy to see why rule 300016 triggered, because any post reply
>> to the PNphpBB2 postnuke forum will trigger 300016 if it contains the
>> word or sequence of characters "from".
>>
>> What I don't understand is why it reached rule 300016 intially since
>> rule 300015 chains to 300016.
>> Doesn't that mean rule 300016 is only evaluated if rule 300015 is a
>> hit? Or am I simply mistaken?
>>
>> There is an exculsion in exclude.conf:
>> #PhpBB posting
>> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
>> SecFilterRemove 300013
>> </LocationMatch>
>>
>> I changed it to:
>> #PhpBB posting
>> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
>> SecFilterRemove 300013
>> SecFilterRemove 300016
>> </LocationMatch>
>>
>> And I am still getting the audit hits. I expect the Location match
>> syntax isn't
>> right, and I am continuing to test, but if anyone has some words of
>> wisdom I would apppreciate it.
>> I already had to turn security off for one entire virtual host until
>> I resolve this issue.
> Okay, I found the answer to the LocationMatch issue ( i think ), but
> if my answer is correct many of the
> current exclusions are not working and we'll find it quite difficult
> to create precise exclusions. According
> to a post regarding LocationMatch in another problematic expression it
> was noted that,
> "<LocationMatch> directive does not look at the query string as part
> of the URL" therefore the above
> and MANY other exclusions are not working.
>
Okay I have the rule fixed for this instance using the rules.patch
below. The only problem is that I know
there is at least one other ! uri that must be added. How are we going
to manage these more complex
exclustions?
I again raise my objections to such a restrictive rule. If the part that
is currently:
|select.+from|
Was changed to:
|[[:space:]]select[[:space:]].+[[:space:]]from[[:space:]]|
The exclusion url above would at lease require the two words to be in a
post before hitting.
the patch:
--- rules.conf.orig 2006-05-07 12:18:26.000000000 -0700
+++ rules.conf 2006-05-07 13:11:23.000000000 -0700
@@ -124,7 +124,7 @@
#Generic SQL sigs
SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or
1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection
protection'"
SecFilterSelective ARGS
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
"id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
-SecFilterSelective REQUEST_URI "!(/forum/posting\.php)"
"chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'"
+SecFilterSelective REQUEST_URI
"!(/forum/posting\.php)|(/html/index\.php\?name=PNphpBB2&file=posting)"
"chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective ARGS
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"
regards for now,
ji
More information about the Modsecurity
mailing list