store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Sat May 18, 2013 10:30 pm

View unanswered posts | View active topics


Board index » Customer Support Forums » Atomic Secured Linux Support

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 11 posts ] 
  Print view Previous topic | First unread post | Next topic 
Author Message
aubej
 Post subject: whitelisting domains or specific words
Unread postPosted: Sat Apr 04, 2009 11:55 am 
Offline
Forum User
Forum User

Joined: Fri Oct 26, 2007 2:18 am
Posts: 21
Hi all,

Anyone know of a way to whitelist a specific domain or words in modsec?

I'm running a bulletin board and users embedding photobucket pics using the [img] tags are getting locked out of they enbed more than 2 images.

any ideas?

thanks,
Jason
Top
 Profile  
 
scott
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sat Apr 04, 2009 12:01 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7418
Location: earth
Hit the report false positive button so we can look at it
Top
 Profile  
 
aubej
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sat Apr 04, 2009 6:01 pm 
Offline
Forum User
Forum User

Joined: Fri Oct 26, 2007 2:18 am
Posts: 21
Hey Scott,

Here is the audit file.

I don't see the 'report false positive' button in the GUI...can you add ac screenshot of where this should be?

Thanks for he help.
Jason

Code:
--86520639-A--
[03/Apr/2009:09:12:53 +0000] 9CXlhn8AAAEAABV-XXEAAAAF 209.89.219.252 1975 67.19.211.141 80
--86520639-B--
POST /rccforum/newreply.php?do=postreply&t=86581 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-silverlight, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www......ca/rccforum/newreply.php?do=newreply&noquote=1&p=598299
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: www..........ca
Content-Length: 380
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: rcbblastvisit=1236938730; rcbblastactivity=0; rcbbuserid=10587; rcbbpassword=392a903b5b7336cc7f5429878ce80b96; rcbbsessionhash=538e382efcf295b6bc25375770807d1f; rcbbthread_lastview=766e97fcffb27ac674ebf30a9b4a8085a-2-%7Bi-86580_i-1238749846_i-86581_i-1238749954_%7D

--86520639-C--
title=Re%3A+FS%3A+%282%29+Futaba+GY401+Gyros+%21%21%21&message=%5BIMG%5Dhttp%3A%2F%2Fi275.photobucket.com%2Falbums%2Fjj304%2FOICU8121972%2FP1030342Large.jpg%5B%2FIMG%5D&iconid=7&s=&do=postreply&t=86581&p=598299&posthash=7612c42ab6ac8cf255cd818e99628375&poststarttime=1238749960&loggedinuser=10587&multiquoteempty=&sbutton=Submit+Reply&signature=1&parseurl=1&emailupdate=0&rating=0
--86520639-F--
HTTP/1.1 403 Forbidden
Last-Modified: Sat, 20 Oct 2007 01:10:11 GMT
ETag: "c58292-3bc-501a02c0"
Accept-Ranges: bytes
Content-Length: 956
Connection: close
Content-Type: text/html

--86520639-H--
Message:  [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "202"] [id "300031"] [rev "2"] [msg "Spam: General"] [data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "(spycam|laser[ \-_.]?eye|eye[ \-_.]?laser|fuelcellmarket|fuel-dispenser|fueling-dispenser|cheapest[ \-_.]?phone|kontaktlinsen|lasikclinic|huojia|jinxinghj|telemati[ck]sone|a-mortgage|diamondabrasives|-horoskop|oa274|2large|exicornt|AFmbb\.|cragrats\.|r ..." at ARGS:message.
Action: Intercepted (phase 2)
Stopwatch: 1238749973702022 37035 (13327* 33965 -)
Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/); 200904021742.
Server: Apache/2.2.3 (Red Hat)

--86520639-Z--
Top
 Profile  
 
scott
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sun Apr 05, 2009 11:16 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7418
Location: earth
Looks like this (ignore the fact that this is a different theme):

http://www.atomicrocketturtle.com/galle ... temId=1541
Top
 Profile  
 
aubej
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sun Apr 05, 2009 12:24 pm 
Offline
Forum User
Forum User

Joined: Fri Oct 26, 2007 2:18 am
Posts: 21
Interesting...this is what I see. Could I be on a different version or would it be because I'm running ASL through Plesk?

thanks,
Jason


Attachments:
asl.jpg
asl.jpg [ 64.76 KiB | Viewed 1148 times ]
Top
 Profile  
 
biggles
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sun Apr 05, 2009 2:18 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 704
Location: Sweden
Which browser are you using? I have seen several strange things in the Plesk IF when using Chrome...
Top
 Profile  
 
aubej
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sun Apr 05, 2009 3:12 pm 
Offline
Forum User
Forum User

Joined: Fri Oct 26, 2007 2:18 am
Posts: 21
I've tried Chrome, FireFox, IE...same with all of them.
Top
 Profile  
 
mikeshinn
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sun Apr 05, 2009 5:39 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3242
Location: Chantilly, VA
Try updating to the latest rules (the issue you reported is resolved in those rules), also what ASL version are you running you should have a report false positive button. Run these commands as root:

asl -V
rpm -q asl
rpm -q asl-web-gui

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.

Top
 Profile  
 
aubej
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sun Apr 05, 2009 9:16 pm 
Offline
Forum User
Forum User

Joined: Fri Oct 26, 2007 2:18 am
Posts: 21
Got the update, thanks.

Here are my versions.

ASL version 2.0.7
asl-2.0.7-3.el5.art
asl-web-gui-0.6-1.el5.art

Jason
Top
 Profile  
 
scott
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sun Apr 05, 2009 9:35 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7418
Location: earth
Yeah you're way out of date with the asl-web-gui package, 1.0 came out before christmas
Top
 Profile  
 
aubej
 Post subject: Re: whitelisting domains or specific words
Unread postPosted: Sun Apr 05, 2009 9:40 pm 
Offline
Forum User
Forum User

Joined: Fri Oct 26, 2007 2:18 am
Posts: 21
That did it. Thanks for the help.

Jason
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 11 posts ] 

Board index » Customer Support Forums » Atomic Secured Linux Support

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: Bing [Bot] and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group