Atomicorp

Security for Everyone
https://forums.atomicorp.com/

Can't disable rule 340464 [SOLVED]

https://forums.atomicorp.com/viewtopic.php?t=2619

Page 1 of 1

Can't disable rule 340464 [SOLVED]

Posted: Tue Nov 25, 2008 8:39 am
by CrK01
Hello all,

I have problems with php-nuke or any nuke or any image upload / link.

The modsec rule is :

340464

example:

[Mon Nov 24 19:15:05 2008] [error] [client 88.26.168.2xx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "1000"] [id "340464"] [rev "15"] [msg "Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Warning. Pattern match "(?:ogg|gopher|zlib|(?:ht|f)tps?)\\:/" at ARGS:hometext. [hostname "www.euskalpcxx.xxx"] [uri "/admin.php"] [unique_id "X9gHpH8AAAEAAC88-eMAAAAy"]
[Mon Nov 24 19:15:05 2008] [error] [client 88.26.168.2xx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "1001"] [id "340465"] [rev "15"] [msg "Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Warning. Pattern match "(?:ogg|gopher|zlib|(?:ht|f)tps?)\\:/" at ARGS:hometext. [hostname "www.euskalpcx.xxx"] [uri "/admin.php"] [unique_id "X9gHpH8AAAEAAC88-eMAAAAy"]

OK, I have read this on logs, so I go to my 00_asl_custom_exclude.conf and I added :

<LocationMatch .*>

SecRuleRemoveById 340162
SecRuleRemoveById 340464

</LocationMatch>

for example.

Restart apache and it didn't work, it's still banning.

I have test a :

asl --disable-rule 340464

and asl -s -f

but it didn't work, still banning.

Thanks

Please try this

Posted: Tue Nov 25, 2008 2:06 pm
by mikeshinn
Thank you for the report. Please try updating your rules - we just put out an update for this false positive - and please feel free to email support@atomicorp.com or simply press the "Report False Positive" button in the ASL GUI if you run into any problems with the rules again. We are fanatical about supporting our customers and will get out an update same day, and during normal business hours we will try to get out an update for an FP within 1-2 hours.

So how to disable a rule:

<LocationMatch .*>

SecRuleRemoveById ID_number

</LocationMatch>

Must come after the rule has been defined (the modsec developers reveresed the logic on everyone) - so its possible that is what you are running into.

Posted: Tue Nov 25, 2008 2:56 pm
by CrK01
ok thanks it seems that with this update this app is working fine ;)

Thats fanastic news

Posted: Tue Nov 25, 2008 3:07 pm
by mikeshinn
And please don't hesitate to let us know about any false positives. Our goal is to have no FPs and we always appreciate it when we are informed of a false positive, it just helps us to make a better product.

And again, thank you again for your report.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited