ASL thinks google.com is a malware domain?

Sempiterna · **Joined:** Tue Jun 24, 2008 12:05 pm **Posts:** 145

Since about 15:30 (CET) today i have received hundreds of events in my ASL panel from rule 360009 stating there is a malicious domain detected (google.com/). I tried to send a false positive report through the panel, but it didnt arrive in the support system. Maybe because they are all very large response bodies. Eventhough some people have an aversion to Google, having that in an asl rule is a bit too much

Quote:

--ff01e222-H--
Message: Matched phrase "google.com/" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/99_asl_redactor_post.conf"] [line "34"] [id "360009"] [rev "2"] [msg "Atomicorp.com Malicious Domain Output Detector: Malware domain detected in webserver output and NOT BLOCKED. This means your system may be serving up malware."] [data "google.com/"] [severity "WARNING"]
Apache-Handler: fcgid-script
Stopwatch: 1332177386885426 652085 (- - -)
Stopwatch2: 1332177386885426 652085; combined=86309, p1=34, p2=7059, p3=8, p4=79197, p5=11, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); 201203181758.
Server: Apache/2.2.3 (CentOS)

mikeshinn · **Posted:** Mon Mar 19, 2012 3:38 pm

No, its an encoding issue with the decoder. Just run asl -uf to force an update to all the rules and decoders.

This rule, BTW, does not block anything, it just reports. So this should have no effect on your users.

Sempiterna · **Joined:** Tue Jun 24, 2008 12:05 pm **Posts:** 145

Yep, that solved it, thanks

I know it doesnt block users, but it was filling up my logs.

Also, for some time now i see some strange events in the logs:

Quote:

Message: [file "/etc/httpd/modsecurity.d/09_asl_rules.conf"] [line "37"] [id "330790"] [rev "1"] [msg "Apache Error: Invalid URI in Request"] [data "[file x22/builddir/build/BUILD/httpd-2.2.3/server/core.cx22] [line 3492] [level 3] Invalid URI in request GET HTTP/1.1"] [severity "CRITICAL"] Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG.
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/server/core.c"] [line 3492] [level 3] Invalid URI in request GET HTTP/1.1
Stopwatch: 1332144450624187 1764 (- - -)
Stopwatch2: 1332144450624187 1764; combined=45, p1=0, p2=0, p3=3, p4=12, p5=30, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); 201203181743.
Server: Apache/2.2.3 (CentOS)

They seem to reference "default", instead of any of my sites. Any idea what this is?

mikeshinn · **Posted:** Mon Mar 19, 2012 3:52 pm

Thanks for the question, you can read about this rule here:

https://www.atomicorp.com/wiki/index.php/WAF_330790

All the rules are documented in the wiki, just click on the rule ID in the ASL gui, or if you arent using ASL then search for the ID in the wiki. With over 10K rules we may have missed a few, and if we did let us know!

ASL thinks google.com is a malware domain?

Who is online