alerts from non-threatening input - beginner!

[taylor.simonp]

Hi,

I have had PHPIDS installed for a while now to protect my previously hacked jobboard. It seems to work insomuchas I have not had any breaches since I installed it. However, however I have it set up, and I will not pretend that I understand how I do have it set up, seems to often trigger alerts and "cease and desist" messages to users trying to innocently register on the site. Here is an example of what I mean, this person was just filling in a covering letter for their resume at registration, yet it has been treated as an attack on the site. obviously this means that however I have it set up is incorrect. i would like to amend this as obviously it gives a bad user experience. I have made a couple of changes to what is pasted below to try to maintain the privacy of the person who submitted the registration details to my site.

The following attack has been detected by PHPIDS

IP: xxxx (deleted to preserve privacy)
Date: 2011-09-24T03:52:45-06:00
Impact: 4
Affected tags: xss csrf id rfe
Affected parameters: POST.app_letter=From%2C+%0D%0AVINOD.K.JOSEPH%0D%0A %0D%0ATo%2C%0D%0AThe+Principal%2C%0D%0AAl+XXXXX+Bi lingual+School%2C%0D%0ARiyadh%0D%0A%0D%0ADate%3A+% 0924th+Sep+2011%0D%0A%0D%0A%0D%0ADear+Sir%2C%0D%0A %0D%0A%0D%0A+Subject%3A+Application+for+the+post+o f+Mathematics+Teacher+%0D%0A%0D%0AWith+over+8+year s+of+hands-on%2C+successful+teaching+experience%2C+I+am+confi dent+in+my+ability+and+passion+to+become+a+positiv e+addition+to+your+school+community+as+a+High+Scho ol+Mathematics+Teacher.%0D%0A%0D%0AAs+you+will+see +in+the+enclosed+resume+I+have+earned+a+Master%92s +Degree+in+Mathematics%2C+as+well+as+gained+certif icate+in+Bachelor+of+Education.+I+have+had+the+opp ortunity+to+teach+students+who+functioned+below-%2C+on-%2C+and+above+grade+level.%0D%0A%0D%0AI+encourage+ learning+by+using+number+of+different+manipulative %2C+hands-on+activities+and+various+forms+of+technology.+By+ incorporating+class+discussions%2C+open-ended+questions+and+cooperative+learning+I+am+able +to+facilitate+a+highly+interactive+and+inquisitiv e+class+atmosphere.+In+addition+I+utilize+weekly+q uizzes+and+monthly+tests+to+track+student+progress %2C+locate+areas+of+weakness+and+prepare+students+ for+finals+exams.%0D%0A%0D%0ABeing+a+hard+working+ and+well-rounded+educator%2C+I+welcome+the+opportunity+to+m eet+with+you+to+discuss+how+my+extensive+experienc e%2C+collaborative+nature+and+innovative+class+roo m+skills+would+benefit+your+Mathematics+program.+T hank+you+for+your+time+consideration+and+I+look+fo rward+to+hearing+from+you+soon.%0D%0A%0D%0ASincere ly%2C%0D%0AXXXX.X.JXXXXXX%0D%0A,
Request URI: %2Fapply_iframe.php
Origin: XX.XXX.XX.X (deleted to preserve privacy)

Any tips gratefully recieved. Many thanks,
Simon

[.mario]

Hi!

Sorry for the delay. I fixed the false positive in the latest trunk version. Just check out the freshest default_filter.xml and you should be fine (it was a tough one btw - nice find :) ).

Thanks for the report!
.mario

[taylor.simonp]

Hi,
thanks for sorting this. Just to be clear, are you saying that I should download the latest verson of that file and use it to replace the current version that I have?
Many thanks,
Simon

[taylor.simonp]

Hi,
i've got another one for you.... any thoughts? I have overwritten the default_filter.xml with the latest version.

I think that this one is a false positive too?
The following attack has been detected by PHPIDS

IP: xx.xx.xx.110
Date: 2011-09-29T01:32:28-06:00
Impact: 5
Affected tags: Command Execution id
Affected parameters: POST.app_letter=Dear+Sir%2F+Madam%2C+%0D%0AI+am+pl eased+to+present+my+curriculum+vitae+to+you+for+th e+position+of+Language+A+teaching.+I+believe+you+w ill+find+me+to+be+a+dedicated+educator+who+is+well +equipped+to+provide+the+motivation+and+direction+ students+need+to+learn+successfully.%0D%0AThe+atta ched+resume+will+testify+to+my+successful+and+soli d+commitment+to+providing+students+with+excellence +in+education.+As+you+will+note%2C+I+earned+a++Mas ters+of+Arts+in+Linguistics+.My+teaching+style+is+ direct+and+decisive%2C+yet+flexible+in+responding+ to+constantly+changing+demands.%0D%0ABeing+a+well+ rounded+educator%2C+I+have+had+opportunity+to+teac h+a+diverse+group+of+middle+and+high+school+studen ts%2C+thus+enhancing+my+teaching+techniques+and+in structional+methods.+As+a+result%2C+I+have+develop ed+phenomenal+communication%2C+interpersonal+organ izational+skills%2C+time+management+and+leadership +skills.++Further+-more%2C+I+have+become+proficient+in+developing+com prehensive+lesson+plans%2C+creating+stimulating+th ematic+units%3A+assessing+individuals+and+the+clas s+as+a+whole.%0D%0AOne+of+my+greatest+strengths+as +an+educator+is+instilling+love+for+literacy+in+my +students.+I+have+true+passion+for+literature+and+ I+am+adept+at+passing+this+to+my+students.+I+accom plish+this+by+incorporating+Shakespearean+works+%2 C+which+I+help+students+translate+into+present+%96 +day+English%2C+as+well+as+draw+a+direct+connectio n+between+the+works+in+question+and+every-+day+life.+This+method+has+helped+me+to+reach+out+ to+every+student%2C+facilitate+their+unique+learni ng+styles+and+spark+their+interest.%0D%0AI+would+f eel+privileged+to+secure+a+job+as+a+Language+A+tea cher+with+your+school+and+would+welcome+the+opport unity+to+discuss+with+you+how+my+experience+would+ best+suit+the+needs+of+your+students.+I+look+forwa rd+to+hearing+from+you+at+your+earliest+convenienc e.%0D%0ASincerely%2C%0D%0ANiyibizi+Pxxx+Juxxxx%0D% 0Avvvvill+Ixxxxxl+School%2C%0D%0AEmbPoint%2C+%2315 0%2C+Ixxxxx+Road%2C%0D%0ABxxxxxu-+560001%2C+Kxxxxxa-+India%2C%0D%0ATel%3B+%2B918043418318,
Request URI: %2Fapply_iframe.php
Origin: 70.xx.xxx.xx

[.mario]

I'll have a look and will deploy a fixed version later today

[THAT1ANONYMOUSDUDE]

I agree with "taylor.simonp", I was integrating PHPIDS into a security application and after I was done and started parsing my apache logs, it would ring on requests like

Code:

Total impact: 4
Affected tags: xss, csrf, id, rfe

Variable: 0 | Value: /Repo/index.html?dir=User Uploads/&sort=description&sort_mode=a 
Impact: 4 | Tags: xss, csrf, id, rfe
Description: Detects JavaScript array properties and methods | Tags: xss, csrf, id, rfe | ID: 18


Total impact: 21
Affected tags: xss, csrf, id, rfe, lfi

Variable: 0 | Value: /Repo/index.html?dir=Admin Archive/GUI Project (Unfinished)/inc/&sort=filename&sort_mode=a 
Impact: 21 | Tags: xss, csrf, id, rfe, lfi
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects JavaScript array properties and methods | Tags: xss, csrf, id, rfe | ID: 18
Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

Centrifuge detection data
Threshold: ---
Ratio: ---
Converted: ((++::

So basically, the majority of all requests are coming up as malicious and is making this really hard for me, I wish I knew more about the regular expression syntax but it too much brain f***.

[.mario]

Well - having a look at the string data..

Code:

/Repo/index.html?dir=Admin Archive/GUI Project (Unfinished)/inc/&sort=filename&sort_mode=a

This has all it needs for a potential attack attempt - parenthesis, suspicious sub-strings etc. I'd recommend to have a look at the actual parameters - and not the full request URI / query string. This should drastically reduce the false alert ratio.

[THAT1ANONYMOUSDUDE]

Well - having a look at the string data..

Code:

/Repo/index.html?dir=Admin Archive/GUI Project (Unfinished)/inc/&sort=filename&sort_mode=a

This has all it needs for a potential attack attempt - parenthesis, suspicious sub-strings etc. I'd recommend to have a look at the actual parameters - and not the full request URI / query string. This should drastically reduce the false alert ratio.

Alright, will do, thanks.

It's a great script either way.