Re: [mod-security-users] False Positives - SQL Injection & SugarCRM

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Ryan,<br>
&nbsp;&nbsp;&nbsp; I will upgrade ASAP and let you know if we still see the FPs for
these rules.<br>
<br>
Thanks for the heads up!<br>
<br>
CTD<br>
<br>
Ryan Barnett wrote:
<blockquote
 cite="mid:50E...@mi..."
 type="cite">
  <blockquote type="cite">
    <pre wrap="">-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a> 
[<a class="moz-txt-link-freetext" href="mailto:mod...@li...">mailto:mod...@li...</a>] On 
Behalf Of Clayton Dillard
Sent: Tuesday, August 05, 2008 3:26 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a>
Subject: [mod-security-users] False Positives - SQL Injection 
&amp; SugarCRM

I've read a bit on false positive handling but I need some help
determining how the rule should be modified in our case.  I 
have pasted
some details regarding the events below.  Any help would be much
appreciated.

It looks like the Cookies and the User-Agent are the cause but I'm not
sure what to change.

thank you,
    </pre>
  </blockquote>
  <pre wrap=""><!---->

A few comments -

1) I suggest you upgrade Mod - I see you are using 2.5.1 and 2.5.6 was
just released.  There are some issues with caching that we fixed (and
can cause some problems with rules).  I suggest you upgrade if possible.

2) I also see that you are using v1.6.0 of the Core Rules.  We found
issues with that version of rule set and the current version is 1.6.1.
In the 1.6.1 version, we actually have the rule that you referenced
commented out (due to FPs).

If you upgrade and still have the same problems, let me know.
  </pre>
</blockquote>
</body>
</html>