store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Nov 24, 2014 3:58 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: ASL thinks google.com is a malware domain?
Unread postPosted: Mon Mar 19, 2012 3:26 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jun 24, 2008 12:05 pm
Posts: 153
Since about 15:30 (CET) today i have received hundreds of events in my ASL panel from rule 360009 stating there is a malicious domain detected (google.com/). I tried to send a false positive report through the panel, but it didnt arrive in the support system. Maybe because they are all very large response bodies. Eventhough some people have an aversion to Google, having that in an asl rule is a bit too much ;)

Quote:
--ff01e222-H--
Message: Matched phrase "google.com/" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/99_asl_redactor_post.conf"] [line "34"] [id "360009"] [rev "2"] [msg "Atomicorp.com Malicious Domain Output Detector: Malware domain detected in webserver output and NOT BLOCKED. This means your system may be serving up malware."] [data "google.com/"] [severity "WARNING"]
Apache-Handler: fcgid-script
Stopwatch: 1332177386885426 652085 (- - -)
Stopwatch2: 1332177386885426 652085; combined=86309, p1=34, p2=7059, p3=8, p4=79197, p5=11, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); 201203181758.
Server: Apache/2.2.3 (CentOS)


Top
 Profile  
 
 Post subject: Re: ASL thinks google.com is a malware domain?
Unread postPosted: Mon Mar 19, 2012 3:38 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3670
Location: Chantilly, VA
No, its an encoding issue with the decoder. Just run asl -uf to force an update to all the rules and decoders.

This rule, BTW, does not block anything, it just reports. So this should have no effect on your users.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: ASL thinks google.com is a malware domain?
Unread postPosted: Mon Mar 19, 2012 3:46 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jun 24, 2008 12:05 pm
Posts: 153
Yep, that solved it, thanks :) I know it doesnt block users, but it was filling up my logs.

Also, for some time now i see some strange events in the logs:

Quote:
Message: [file "/etc/httpd/modsecurity.d/09_asl_rules.conf"] [line "37"] [id "330790"] [rev "1"] [msg "Apache Error: Invalid URI in Request"] [data "[file x22/builddir/build/BUILD/httpd-2.2.3/server/core.cx22] [line 3492] [level 3] Invalid URI in request GET HTTP/1.1"] [severity "CRITICAL"] Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG.
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/server/core.c"] [line 3492] [level 3] Invalid URI in request GET HTTP/1.1
Stopwatch: 1332144450624187 1764 (- - -)
Stopwatch2: 1332144450624187 1764; combined=45, p1=0, p2=0, p3=3, p4=12, p5=30, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); 201203181743.
Server: Apache/2.2.3 (CentOS)


They seem to reference "default", instead of any of my sites. Any idea what this is?


Top
 Profile  
 
 Post subject: Re: ASL thinks google.com is a malware domain?
Unread postPosted: Mon Mar 19, 2012 3:52 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3670
Location: Chantilly, VA
Thanks for the question, you can read about this rule here:

https://www.atomicorp.com/wiki/index.php/WAF_330790

All the rules are documented in the wiki, just click on the rule ID in the ASL gui, or if you arent using ASL then search for the ID in the wiki. With over 10K rules we may have missed a few, and if we did let us know!

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group