phpids and FLIR
bavarian - June 16, 2009 - 11:41
| Project: | PHPIDS |
| Version: | 6.x-1.8 |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
I am trying to make use of 2 drupal-modules at the same time on one of my sites.
1 - phpids 6.x-1.8
2 - flir 6.x-1.3-beta1
both modules seem to work fine individualla, exactly the way i want them to work. BUT when both modules are activated, phpids does send e-mail messages about "detected attacks". funny, when refreshing the page in question firefox it does send 6 mail-messages, but when refreshing the same page in safari-browser only 2 mail-messages about these detected attacs.
Since not sure if this is a phpids- or a flir-issue i am posting this as an issue on both module-sites
Thanks in advance for all help and input !
#1
Hello bavarian,
could you please post the complete message of the detected attack(s)? I think it is a HTML- or JSON-false-positive from flir module which is detected by phpids module.
thx Gos77
#2
the subject in the e-mail-messages of the detected attacks (?) is always the same: "PHPIDS detected an attack with impact 26"
the text in the e-mail-messages is just a oneliner: "Check your logs to see a full detail of the report."
DETAILS in the logs
Type phpids
Date Tuesday, 16. June 2009 - 12:39
User Anonymous visitor
Location http://www.urlofmysite.se/?q=flir/generate/User%20account/25/113/%7B%22m...
Referrer http://www.urlofmysite.se/en/user
Message Send warning mail to mymailadress@urlofmysite.se
Severity notice
Hostname xxx.xxx.xxx.xxx (ip adress edited)
Operations
thanks in advance !
#3
Hello bavarian,
this Log message is the wrong one. Because it only gives info about mail is sent. The following complete Log entry which is starting with "Total impact: ..." is the right and interesting one ;)
thx Gos77
#4
Ah ... sorry, here we go again, hopefully correct this time:
Details
Type phpids
Date Tuesday, 16. June 2009 - 12:39
User Anonymous visitor
Location http://urlofmysite.se/?q=flir/generate/Search/25/195/%7B%22mode%22%3A%22...
Referrer http://urlofmysite.se/en/user
Message Total impact: 26
All tags: sqli, id, lfi
Variable: q | Value: flir/generate/Search/25/195/{"mode":"progressive","output":"auto& quot;,"cSize":"19","cColor":"rgb(73, 73, 73)","cFont":"aero.ttf","realFontHeight":"false"," dpi":"96","cBackground":"transparent","cSpacing":" ","cLine":"1.3132","cAlign":"start","cTransform&qu ot;:"none"}
Impact: 26 | Tags: sqli, id, lfi
* Rule: (?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?Description: Detects classic SQL injection probings 1/2
Tags: sqli, id, lfi
* Rule: (?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)( ?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s* [^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+[\s=*])|(?:[()*<>%+-][\w-]+[^\w\s]+"[^, ])
Description: Detects classic SQL injection probings 2/2
Tags: sqli, id, lfi
* Rule: (?:union\s*(?:all|distinct)?\s*[([]\s*select)|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x? or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;\/)(]+\s*[(@]*\s*\w+\W +\w)|(?:select\s*[\[\]()\s\w\.,-]+from)
Description: Detects basic SQL authentication bypass attempts 2/3
Tags: sqli, id, lfi
* Rule: (?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d \s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.]+")|(?:"\s*is\ s*[\d.]+\s*\W.*")
Description: Detects basic SQL authentication bypass attempts 3/3
Tags: sqli, id, lfi
Severity notice
Hostname xx.xxx.xx.xxx
Operations
#5
Hello bavarian,
please try out current phids dev-snapshot. I add some days ago some new options in PHPIDS settings. With this new options it is possible to define form fields or parameters which includes HTML, JSON or completly excluded from scanning by PHPIDS.
Take a look at issue #489134: JSON option on false positives
I think it could be possible to add "q" to JSON fields, but this is with not clean URLs some risk, because all URLs of your site could be passed as clean through PHPIDS. Perhaps you could change your site settings to use clean URLs and then check again the variable name in PHPIDS logs which is producing your false-positives with flir module.
I hope this could help you a little bit.
greetz Gos77
#6
I have downloaded the phpids dev-snapshot and installed it. it brings upp those 3 new options to define parameters to exclude stuff from beeing scanned.
With the "q" (without the quotation-marks) as a parameter in the JSON-field, I don't get my problem resolved. Still getting those false-positives associated with flir. No matter if clean URLs are enabled or not, tested both ways.
and the name of the variable in the logs is still "q" .... with or without clean URLs enabled ...
guess I better get some sleep before digging myself into this ... and try more tomorrow
#7
Hello bavarian,
please try to post your complete phpids log from reply #4 (with link to this isseu here) in the forum under http://www.php-ids.org . Perhaps their the developers have some ideas how to solve this problem.
gn8 Gos77
#8
done that !
http://forum.php-ids.org/comments.php?DiscussionID=288&page=1#Item_2
#9
need feedback .. otherwise issue will be closed in 2 weeks
#10
Closed because of no more activity.