strange problem with rules 340162 and 340163

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
srpurdy
Forum Regular
Forum Regular
Posts: 110
Joined: Sat Jan 21, 2012 6:37 pm
Location: Canada

strange problem with rules 340162 and 340163

Unread post by srpurdy »

I can't for the life of me figure out why these two rules get triggered.

I have 2 fields in a editable admin area.
1. youtube field = youtube video address
2. high res field = youtube video address.

I can save the record no issues as long as I don't use any http://www in the high res field only. I can do whatever I like in the youtube field. I should mention that neither of these fields are any different they are just text (varchar) fields, and they are put into an array and passed to an update mysql query. Nothing different about them at all.

I tried whitelisting youtube.com this had no effect. So my only other solution for now was to disable these two rules on that specific URL where this action can be done. But I'm kind of confused as to why. I looked at the post field name and changed that thinking maybe that had something to do with it, but none of the field names I used worked, and none of them even show up in the arguments for the rules themelves. I just don't get how if I'm trigging a remote file excution why the first youtube field wouldn't also trigger that rule. (it doesn't)

I should mention this server is running the latest August 20th rules, and mod_security 2.6.7

Below is the 403 errors.

Code: Select all

[Fri Aug 24 16:04:20 2012] [error] [client XXXXXXXXX] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "MATCHED_VARS:hq" required. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "493"] [id "340162"] [rev "274"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)"] [data "http://www.youtube.com/watch?v=xxxxxxxxxxx"] [severity "CRITICAL"] [hostname "XXXXXXXXX"] [uri "/video_admin/editvideo/836/home/"] [unique_id "UDgIdM26mkEAAEwaHvcAAAAB"]

[Fri Aug 24 16:12:30 2012] [error] [client xxxxxxxxxxxx] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "MATCHED_VARS:hq" required. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "542"] [id "340163"] [rev "274"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)"] [data "http://www.youtube.com/watch?v=xxxxxxxxxxx"] [severity "CRITICAL"] [hostname "xxxxxxxxxxx"] [uri "/video_admin/editvideo/836/home/"] [unique_id "UDgKXs26mkEAAGRqFioAAAAF"]
This "MATCHED_VARS:hq" is the name of the field. I had it originally called hires. I tried high_quality, and now hq. Same result for all. None of which show up anyway in the ARGS in the entire 10_asl_rules.conf file.

Maybe I'm not understanding something though. Doesn't make any sense to me atm lol. :)

Any idea's?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: strange problem with rules 340162 and 340163

Unread post by mikeshinn »

Thank you the report, we are sorry to hear that you have run into a false positive but do appreciate you reporting it to us. To help us to determine the cause of this problem, we need a little more information. Although you have provided use with Apache error logs, this does not provide us with any of the information we need to help you with this problem. We require the modsecurity audit records for each event.

We have written up a procedure to help you provide this information to us, and you can find it it here:

https://www.atomicorp.com/wiki/index.ph ... _Positives

If you could kindly follow that procedure and send us the information described there, we can look into this issue further. Please keep in mind that the delayed rules are delayed 90 days, so any fix will not be available in the delayed rules for 90 days. If you require immediate access to the fix, you will need to use the real time rules. You can get access to the real time rules here:

https://www.atomicorp.com/products/modsecurity.html

Thank you in advance.
srpurdy
Forum Regular
Forum Regular
Posts: 110
Joined: Sat Jan 21, 2012 6:37 pm
Location: Canada

Re: strange problem with rules 340162 and 340163

Unread post by srpurdy »

mikeshinn wrote:Thank you the report, we are sorry to hear that you have run into a false positive but do appreciate you reporting it to us. To help us to determine the cause of this problem, we need a little more information. Although you have provided use with Apache error logs, this does not provide us with any of the information we need to help you with this problem. We require the modsecurity audit records for each event.

We have written up a procedure to help you provide this information to us, and you can find it it here:

https://www.atomicorp.com/wiki/index.ph ... _Positives

If you could kindly follow that procedure and send us the information described there, we can look into this issue further. Please keep in mind that the delayed rules are delayed 90 days, so any fix will not be available in the delayed rules for 90 days. If you require immediate access to the fix, you will need to use the real time rules. You can get access to the real time rules here:

https://www.atomicorp.com/products/modsecurity.html

Thank you in advance.
Hi Mike,

Sorry for the delay. I'll send the information soon as I look through the audit.

I would run the realtime rules, but this server is just one I manage for a client so it's mostly up to them! :) I run the full ASL on my other box. But I'll get you the audit information. :)

Shawn
srpurdy
Forum Regular
Forum Regular
Posts: 110
Joined: Sat Jan 21, 2012 6:37 pm
Location: Canada

Re: strange problem with rules 340162 and 340163

Unread post by srpurdy »

Okay I sent an email to support. Thanks :)
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: strange problem with rules 340162 and 340163

Unread post by mikeshinn »

Update available in real time rules.
Post Reply