false positive - not sure if asl report has the right info.

premierhosting · **Joined:** Wed Aug 04, 2010 2:52 pm **Posts:** 256

Drupal trying to upload a file.

Code:

[Sun Mar 27 17:18:49 2011] [error] [client 67.185.164.235] ModSecurity: Input filter: Failed to rename file from "/tmp/20110327-171847-4yuNZ0rQxvYAAFA4TxIAAAAG-file-aBzInB" to "/var/asl/data/suspicious/20110327-171847-4yuNZ0rQxvYAAFA4TxIAAAAG-file-aBzInB". [hostname "xxxxxxxxxxxxx"] [uri "/index.php"] [unique_id "4yuNZ0rQxvYAAFA4TxIAAAAG"]
[Sun Mar 27 17:20:40 2011] [error] [client 67.185.164.235] ModSecurity: Input filter: Failed to rename file from "/tmp/20110327-172039-6dBjDkrQxvYAAFCoMscAAAAB-file-OHRqAv" to "/var/asl/data/suspicious/20110327-172039-6dBjDkrQxvYAAFCoMscAAAAB-file-OHRqAv". [hostname "xxxxxxxxxxxxx"] [uri "/index.php"] [unique_id "6dBjDkrQxvYAAFCoMscAAAAB"]
[Sun Mar 27 17:20:53 2011] [error] [client 67.185.164.235] ModSecurity: Input filter: Failed to rename file from "/tmp/20110327-172052-6pfPB0rQxvYAACIG-BkAAAAD-file-my8Jf5" to "/var/asl/data/suspicious/20110327-172052-6pfPB0rQxvYAACIG-BkAAAAD-file-my8Jf5". [hostname "xxxxxxxxxxxxxxxx"] [uri "/index.php"] [unique_id "6pfPB0rQxvYAACIG-BkAAAAD"]

Hard to tell if these are the same issues:

Code:

--1ae4cd01-A--
[27/Mar/2011:15:13:41 --0700] I8e7Z0rQxvYAABYUey0AAAAO 67.185.164.235 3692 74.208.198.246 80
 
--1ae4cd01-B--
GET / HTTP/1.1
Host: xxxxxxxxxxxxxxxxxxxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 ( .NET CLR 3.5.30729) SearchToolbar/1.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: __utma=157772667.124927394.1300919902.1300919902.1301251890.2; __utmz=157772667.1300919902.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=157772667
Pragma: no-cache
Cache-Control: no-cache
 
--1ae4cd01-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 5043
Connection: close
Content-Type: text/html
 
--1ae4cd01-H--
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/modules/generators/mod_autoindex.c"] [line 2274] [level 3] Directory index forbidden by Options directive: /var/www/vhosts/premierhosting.com/projects/
Stopwatch: 1301264021830503 14518 (2031 9786 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201103262012.
Server: Apache
 
--1ae4cd01-Z--

Any help?

mikeshinn · **Posted:** Sun Mar 27, 2011 8:34 pm

Quote:

[Sun Mar 27 17:18:49 2011] [error] [client 67.185.164.235] ModSecurity: Input filter: Failed to rename file from "/tmp/20110327-171847-4yuNZ0rQxvYAAFA4TxIAAAAG-file-aBzInB" to "/var/asl/data/suspicious/20110327-171847-4yuNZ0rQxvYAAFA4TxIAAAAG-file-aBzInB". [hostname "xxxxxxxxxxxxx"] [uri "/index.php"] [unique_id "4yuNZ0rQxvYAAFA4TxIAAAAG"]

Not a false positive, an actual error on your system. Check to see if you have MODSEC_KEEPFILES set to "on" in ASL, if yo do, set that to off.

As an aside, its a bad idea to set it to on anyway, the bad stuff gets uploaded to the server, so generally only a good idea to turn this on if you are debugging something (and we are going to remove this option in a future version of ASL). This can happen with odd non-standard permissions issues, mount changes to /tmp (no exec for example), etc.

Quote:

Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/modules/generators/mod_autoindex.c"] [line 2274] [level 3] Directory index forbidden by Options directive: /var/www/vhosts/premierhosting.com/projects/
Stopwatch: 1301264021830503 14518 (2031 9786 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201103262012.

Also not a false positive, and not generated by ASL. ASL is just reporting that apache is reporting an error, specifically, as above:

Directory index forbidden by Options directive: /var/www/vhosts/premierhosting.com/projects/

You have your server configured (correctly IMHO) to not allow index access to /projects/. This is not something ASL controls, and is something you configure in Apache, htaccess, etc.

premierhosting · **Joined:** Wed Aug 04, 2010 2:52 pm **Posts:** 256

OK, so by setting the KEEPFILES to off it will allow Drupal to upload image files?

mikeshinn · **Posted:** Mon Mar 28, 2011 9:29 am

Quote:

OK, so by setting the KEEPFILES to off it will allow Drupal to upload image files?

Yes, KEEPFILES only configures ASL to Keep a file if its been detected to contain malware. ASL will then put that file in the suspicious folder.

KEEPFILES has no effect on uploading files, it only controls the behavior of ASL if it detects something malicious. You should always have that set to off, you dont want malicious files being uploaded to the server.

false positive - not sure if asl report has the right info.

Who is online