search

wreiske / apache-scalp

Automatically exported from code.google.com/p/apache-scalp
0 stars 0 forks source link

A bunch of false positives #3

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi Romain!,

    I've been testing scalp with a log file that I got from a friend and
it's sending me lots of false positives, I'm reporting them, hoping that
you fix them in the 0.5 version =)

    ### Impact 5
    67.195.37.122 - - [04/Dec/2008:02:36:04 -0200] "GET
/QP/index.php?view=article&id=1:principal&tmpl=component&print=1&page=
HTTP/1.0" 200 4053 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0;
http://help.yahoo.com/help/us/ysearch/slurp)"
    Reason: "Detects JavaScript with(), ternary operators and XML predicate
attacks"

    ### Impact 4
    190.27.11.202 - - [01/Dec/2008:15:21:58 -0200] "GET
/QP/index.php?view=article&id=3%3Aiso-9000&tmpl=component&print=1&page=&option=c
om_content&Itemid=3
HTTP/1.1" 200 16143
"http://www.google.com.co/search?hl=es&q=motivacion+implementacion+iso+9000&star
t=30&sa=N"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    Reason: "Detects JavaScript object properties and methods"

    ### Impact 3
    201.252.60.230 - - [01/Dec/2008:00:04:18 -0200] "GET
/QP/index.php?option=com_content&view=article&id=6&Itemid=6 HTTP/1.1" 200
9062 "http://qperformance.com.ar/QP/" "Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ;
.NET CLR 2.0.50727; .NET CLR 1.1.4322)"
    Reason: "Detects very basic XSS probings"

    201.252.60.230 - - [01/Dec/2008:00:02:45 -0200] "GET
/QP/templates/system/css/error.css HTTP/1.1" 200 1672
"http://qperformance.com.ar/QP/index.php?option=com_content&view=article&id=4#co
ntent"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR
1.1.4322)"
    Reason: "Detects specific directory and path traversal"

Original issue reported on code.google.com by andres.riancho@gmail.com on 29 Dec 2008 at 2:01

GoogleCodeExporter commented 9 years ago 
@andres

Scalp! alerts are based on PHPIDS.  If you find false positives please let them 
know
by posting this information to the PHPIDS filters forum:
http://forum.php-ids.org/?CategoryID=8

Thank you,
Don C. Weber

Original comment by cutaways...@gmail.com on 29 Dec 2008 at 8:52

GoogleCodeExporter commented 9 years ago 
Ok, but in the PHP-IDS they'll tell me that it's a scalp problem :(

Original comment by andres.riancho@gmail.com on 29 Dec 2008 at 8:55

GoogleCodeExporter commented 9 years ago 
@cutawaysecurity:
It is absolutely possible that the problem is due to scalp. Even if the regexp 
are coming from the 
PHP-IDS project, there are some manipulation to do on the log lines in order to 
decrease the 
false-negative/positive.
Especially this part:
  http://code.google.com/p/apache-scalp/source/browse/branches/scalp-0.4.py#226

@andres:
Thanks for the report, I will look at this when I have a bit more time. It 
looks like these are 
bad false-positive, these are simple GET content

Original comment by romain.g...@gmail.com on 29 Dec 2008 at 9:04

GoogleCodeExporter commented 9 years ago 
@andres
Sorry about the confusion.

@romain
I apologize, I thought this was a no brainer.

Original comment by cutaways...@gmail.com on 29 Dec 2008 at 10:25

GoogleCodeExporter commented 9 years ago 
Changed ownership

Original comment by cutaways...@gmail.com on 29 Dec 2008 at 11:00

GoogleCodeExporter commented 9 years ago

Original comment by romain.g...@gmail.com on 9 Jan 2009 at 12:23

GoogleCodeExporter commented 9 years ago 
I use 

----
./scalp-0.4.py -l ./logs/access_log.90.gz -f ./default_filter.xml -o 
./scalp-output 
--html
------

Original comment by kendall....@gmail.com on 12 May 2009 at 2:10