Can't disable rule 340464 [SOLVED]

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
Post Reply
CrK01
Forum User
Forum User
Posts: 94
Joined: Wed Jun 06, 2007 10:49 am

Can't disable rule 340464 [SOLVED]

Unread post by CrK01 »

Hello all,

I have problems with php-nuke or any nuke or any image upload / link.

The modsec rule is :

340464

example:

[Mon Nov 24 19:15:05 2008] [error] [client 88.26.168.2xx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "1000"] [id "340464"] [rev "15"] [msg "Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Warning. Pattern match "(?:ogg|gopher|zlib|(?:ht|f)tps?)\\:/" at ARGS:hometext. [hostname "www.euskalpcxx.xxx"] [uri "/admin.php"] [unique_id "X9gHpH8AAAEAAC88-eMAAAAy"]
[Mon Nov 24 19:15:05 2008] [error] [client 88.26.168.2xx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "1001"] [id "340465"] [rev "15"] [msg "Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Warning. Pattern match "(?:ogg|gopher|zlib|(?:ht|f)tps?)\\:/" at ARGS:hometext. [hostname "www.euskalpcx.xxx"] [uri "/admin.php"] [unique_id "X9gHpH8AAAEAAC88-eMAAAAy"]

OK, I have read this on logs, so I go to my 00_asl_custom_exclude.conf and I added :

<LocationMatch .*>

SecRuleRemoveById 340162
SecRuleRemoveById 340464

</LocationMatch>

for example.

Restart apache and it didn't work, it's still banning.

I have test a :

asl --disable-rule 340464

and asl -s -f

but it didn't work, still banning.

Thanks
Top
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4155
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Please try this

Unread post by mikeshinn »

Thank you for the report. Please try updating your rules - we just put out an update for this false positive - and please feel free to email support@atomicorp.com or simply press the "Report False Positive" button in the ASL GUI if you run into any problems with the rules again. We are fanatical about supporting our customers and will get out an update same day, and during normal business hours we will try to get out an update for an FP within 1-2 hours.

So how to disable a rule:

<LocationMatch .*>

SecRuleRemoveById ID_number

</LocationMatch>

Must come after the rule has been defined (the modsec developers reveresed the logic on everyone) - so its possible that is what you are running into.
Top
CrK01
Forum User
Forum User
Posts: 94
Joined: Wed Jun 06, 2007 10:49 am

Unread post by CrK01 »

ok thanks it seems that with this update this app is working fine ;)
Top
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4155
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Thats fanastic news

Unread post by mikeshinn »

And please don't hesitate to let us know about any false positives. Our goal is to have no FPs and we always appreciate it when we are informed of a false positive, it just helps us to make a better product.

And again, thank you again for your report.
Top
Post Reply

Return to “General Help and Development Discussion”