Control Web Panel
Developers => Suggestions => Topic started by: zeejdeej on November 12, 2024, 01:18:25 PM
-
hello,
kindly update comodo waf rules for mod security in cwp as new version waf rules have many fixes for known issues. its pending since long to update .
Regards,
Zee
-
It looks like when Comodo was bought out the WAF rules got dropped.
The last ruleset version that came out on 2024-01-21 fixed the WordPress bug, which was 1.241 that you can manually update.
-
can you please tell me how to update comodo waf rules manuall. i am new :(
-
It looks like when Comodo was bought out the WAF rules got dropped.
The last ruleset version that came out on 2024-01-21 fixed the WordPress bug, which was 1.241 that you can manually update.
can you plz help tell me how to update comodo waf rules to latest version manually i am new to this :-[
-
@ CWP Development Team
kindly do it for all as its hardly few mins job for you guys and it will help all cwp users. :) :) :)
-
Comodo was bought out by another company.
You can try and register for an account and download the last ruleset 1.241 from https://waf.comodo.com (https://waf.comodo.com)
Let me know if it works. As I haven't been able to login for a couple months now.
But not sure is @overseer has been able to or not.
If not, you can visit one of our US mirrors at: https://m3.stl.us.ssimn.org/Comodo-Rules/ (https://m3.stl.us.ssimn.org/Comodo-Rules/)
The latest ruleset I know of is 1.241, unzip that to your local computer, and upload the files from Rules to your server at /usr/local/apache/modsecurity-cwaf/rules
Easiest way is using the SFTP built into Bitvise after you have logged in via SSH.
-
1.241 is the latest version, per their Apache yaml file:
https://waf.comodo.com/doc/meta_comodo_apache.yaml (https://waf.comodo.com/doc/meta_comodo_apache.yaml)
Their documentation literature speaks of "occasional" and "periodic" updates, so I guess early 2024 qualifies...
::)
And note that it is still Comodo -- they have just rebranded to Xcitium after their new flagship endpoint production product (read: $$$$).
https://www.nasdaq.com/press-release/comodo-security-solutions-rebrands-to-xcitium-2022-07-07
(This after a failed rebrand to Sectigo earlier...)
-
@overseer, are you able to login to https://waf.comodo.com, I'm still getting the same error I've been getting for months now.
I've tried contacting them via their email address & forums without success.
-
@overseer, are you able to login to https://waf.comodo.com, I'm still getting the same error I've been getting for months now.
I've tried contacting them via their email address & forums without success.
i am also not able to login to my comodo account at https://waf.comodo.com
also the below url doesnt work
https://m3.stl.us.ssimn.org/Comodo-Rules/
-
Comodo was bought out by another company.
You can try and register for an account and download the last ruleset 1.241 from https://waf.comodo.com (https://waf.comodo.com)
Let me know if it works. As I haven't been able to login for a couple months now.
But not sure is @overseer has been able to or not.
If not, you can visit one of our US mirrors at: https://m3.stl.us.ssimn.org/Comodo-Rules/ (https://m3.stl.us.ssimn.org/Comodo-Rules/)
The latest ruleset I know of is 1.241, unzip that to your local computer, and upload the files from Rules to your server at /usr/local/apache/modsecurity-cwaf/rules
Easiest way is using the SFTP built into Bitvise after you have logged in via SSH.
@Starburst if you have comodo waf 1.241 rules can you plz make a zip file and share with me as i cant find it anywhere on net to download from :(
-
i switched to OWASP latest waf but that doesnt seem to be triggering rules as i tried the follow but instead of blocking it open website normally.
https://droppy.pk/?SELECT * FROM mysql.users
or
http://droppy.pk/?test=/etc/passwd
and in logs i get this :
-----------------------------------------------------------------------------
[Fri Nov 15 08:22:54.697941 2024] [:error] [pid 1240692:tid 1240745] [client 182.183.59.223:49493] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/handler/getjstranslation"] [unique_id "Zzb2zmxzeCbNjj3Zw9xjvgAAAIs"], referer: https://droppy.pk/?SELECT%20*%20FROM%20mysql.users
[Fri Nov 15 08:22:54.697362 2024] [:error] [pid 1240692:tid 1240745] [client 182.183.59.223:49493] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/handler/getjstranslation"] [unique_id "Zzb2zmxzeCbNjj3Zw9xjvgAAAIs"], referer: https://droppy.pk/?SELECT%20*%20FROM%20mysql.users
[Fri Nov 15 08:22:54.168467 2024] [:error] [pid 1240692:tid 1240750] [client 182.183.59.223:49493] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/assets/themes/modern/css/style.css"] [unique_id "Zzb2zmxzeCbNjj3Zw9xjvQAAAI0"], referer: https://droppy.pk/?SELECT%20*%20FROM%20mysql.users
[Fri Nov 15 08:22:54.167868 2024] [:error] [pid 1240692:tid 1240750] [client 182.183.59.223:49493] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/assets/themes/modern/css/style.css"] [unique_id "Zzb2zmxzeCbNjj3Zw9xjvQAAAI0"], referer: https://droppy.pk/?SELECT%20*%20FROM%20mysql.users
[Fri Nov 15 08:22:53.797438 2024] [:error] [pid 1242044:tid 1242048] [client 182.183.59.223:49492] [client 182.183.59.223] ModSecurity: Warning. Found 4 byte(s) in ARGS_NAMES:SELECT * FROM mysql.users outside range: 38,44-46,48-58,61,65-90,95,97-122. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1501"] [id "920273"] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:SELECT * FROM mysql.users=SELECT * FROM mysql.users"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "paranoia-level/4"] [hostname "droppy.pk"] [uri "/"] [unique_id "Zzb2zV2B16OYtZuRIUyWzwAAAMI"]
[Fri Nov 15 08:22:53.797161 2024] [:error] [pid 1242044:tid 1242048] [client 182.183.59.223:49492] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/"] [unique_id "Zzb2zV2B16OYtZuRIUyWzwAAAMI"]
[Fri Nov 15 08:22:53.796455 2024] [:error] [pid 1242044:tid 1242048] [client 182.183.59.223:49492] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/"] [unique_id "Zzb2zV2B16OYtZuRIUyWzwAAAMI"]
[Fri Nov 15 08:22:25.022988 2024] [:error] [pid 1240690:tid 1240715] [client 182.183.59.223:49486] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/assets/backgrounds/default_1.jpg"] [unique_id "Zzb2sRFWEN9VqJUDmOxF9gAAABU"], referer: http://droppy.pk/
[Fri Nov 15 08:22:25.018234 2024] [:error] [pid 1240690:tid 1240715] [client 182.183.59.223:49486] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/assets/backgrounds/default_1.jpg"] [unique_id "Zzb2sRFWEN9VqJUDmOxF9gAAABU"], referer: http://droppy.pk/
[Fri Nov 15 08:22:17.129025 2024] [:error] [pid 1242044:tid 1242068] [client 182.183.59.223:49478] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/assets/backgrounds/default_2.jpg"] [unique_id "Zzb2qV2B16OYtZuRIUyWzgAAANY"], referer: http://droppy.pk/
[Fri Nov 15 08:22:17.127896 2024] [:error] [pid 1242044:tid 1242068] [client 182.183.59.223:49478] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/assets/backgrounds/default_2.jpg"] [unique_id "Zzb2qV2B16OYtZuRIUyWzgAAANY"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.966470 2024] [:error] [pid 1240692:tid 1240742] [client 182.183.59.223:49477] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/handler/getjstranslation"] [unique_id "Zzb2o2xzeCbNjj3Zw9xjvAAAAIo"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.965929 2024] [:error] [pid 1240692:tid 1240742] [client 182.183.59.223:49477] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/handler/getjstranslation"] [unique_id "Zzb2o2xzeCbNjj3Zw9xjvAAAAIo"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.790194 2024] [:error] [pid 1240690:tid 1240712] [client 182.183.59.223:49475] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/assets/themes/modern/mecwbjnp.json"] [unique_id "Zzb2oxFWEN9VqJUDmOxF9QAAABI"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.789808 2024] [:error] [pid 1240690:tid 1240712] [client 182.183.59.223:49475] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/assets/themes/modern/mecwbjnp.json"] [unique_id "Zzb2oxFWEN9VqJUDmOxF9QAAABI"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.788819 2024] [:error] [pid 1240691:tid 1240744] [client 182.183.59.223:49476] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/assets/themes/modern/rhvddzym.json"] [unique_id "Zzb2oyJ1bJ7aspqJdiGglQAAAEs"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.788237 2024] [:error] [pid 1240691:tid 1240744] [client 182.183.59.223:49476] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/assets/themes/modern/rhvddzym.json"] [unique_id "Zzb2oyJ1bJ7aspqJdiGglQAAAEs"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.759787 2024] [:error] [pid 1240690:tid 1240711] [client 182.183.59.223:49474] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/assets/themes/modern/lupuorrc.json"] [unique_id "Zzb2oxFWEN9VqJUDmOxF9AAAABE"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.759077 2024] [:error] [pid 1240690:tid 1240711] [client 182.183.59.223:49474] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "droppy.pk"] [uri "/assets/themes/modern/lupuorrc.json"] [unique_id "Zzb2oxFWEN9VqJUDmOxF9AAAABE"], referer: http://droppy.pk/
[Fri Nov 15 08:22:11.069038 2024] [:error] [pid 1242044:tid 1242064] [client 182.183.59.223:49466] [client 182.183.59.223] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "droppy.pk"] [uri "/assets/themes/modern/css/style.css"] [unique_id "Zzb2o12B16OYtZuRIUyWzQAAANI"], referer: http://droppy.pk/
-
I'm guessing your country code is PK?
That's probably why you can't connect.
Try the link now.
-
I'm guessing your country code is PK?
That's probably why you can't connect.
Try the link now.
yes its working now and thanks a lot for your help.
so should i just unzip all files to /usr/local/apache/modsecurity-cwaf/rules location on my server thats it ? it will update and install new rules automatically?or do i have to remove old rule files from this location first
-
i just updated the rules to 1.241 version but same issue all wordpress sites are being blocked . only first page is opened and if i click on any other link on wordpress website its blocked by comodo waf rule
-
i switched back to OWASP latest rules but they are not blocking malicious attempts . i can see in logs its detecting but attempt is not blocked :-[
on the other hand comodo waf rules keeps blocking everything :-\ before last update everything was fine and comodo waf rules were the best
-
The Comodo fix was for WooCommerce.
What Rule does WAF show is being triggered by WordPress.
Haven't seen any conflict with Comodo and WordPress on AL8 or AL9.
-
The Comodo fix was for WooCommerce.
What Rule does WAF show is being triggered by WordPress.
Haven't seen any conflict with Comodo and WordPress on AL8 or AL9.
i am using AlmaLinux 9 with comodo waf rules that you shared i.e. Installed version: 1.241
its blocking all wordpress websites , only main page is opened and if i click on any other link or page on site it blocks, see below logs if you can figure out whats wrong
[Sat Nov 16 03:50:54.257704 2024] [:error] [pid 1330522:tid 1330564] [client 182.183.59.223:64832] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/plugins/burst-statistics/endpoint.php"] [unique_id "ZzgIjkgvZjUGsoby_ov1fQAAAIQ"], referer: https://karimsonline.com/
[Sat Nov 16 03:50:54.020822 2024] [:error] [pid 1330522:tid 1330563] [client 182.183.59.223:64832] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/"] [unique_id "ZzgIjkgvZjUGsoby_ov1fAAAAIM"], referer: https://karimsonline.com/
[Sat Nov 16 03:50:52.725801 2024] [:error] [pid 1330522:tid 1330562] [client 182.183.59.223:64832] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/"] [unique_id "ZzgIjEgvZjUGsoby_ov1ewAAAII"], referer: https://karimsonline.com/
[Sat Nov 16 03:50:46.468741 2024] [:error] [pid 1330502:tid 1330505] [client 182.183.59.223:64830] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/blog/"] [unique_id "ZzgIhpCaZKKW28uOR-L7sQAAAAA"]
[Sat Nov 16 03:48:36.874131 2024] [:error] [pid 1330019:tid 1330074] [client 182.183.59.223:64816] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/plugins/burst-statistics/endpoint.php"] [unique_id "ZzgIBLel4_HzjjsBKm1tKwAAAIo"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:36.672057 2024] [:error] [pid 1330019:tid 1330064] [client 182.183.59.223:64816] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/blog/"] [unique_id "ZzgIBLel4_HzjjsBKm1tKgAAAIA"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:35.337429 2024] [:error] [pid 1330095:tid 1330097] [client 182.183.59.223:64812] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/uploads/2024/07/WhatsApp-Video-2024-07-03-at-1.45.39-PM.mp4"] [unique_id "ZzgIA_A-4WHASGySwtqn9gAAAMA"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.872764 2024] [:error] [pid 1330019:tid 1330072] [client 182.183.59.223:64816] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/uploads/elementor/css/post-8371.css"] [unique_id "ZzgIArel4_HzjjsBKm1tKQAAAIg"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.846642 2024] [:error] [pid 1330095:tid 1330120] [client 182.183.59.223:64812] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/"] [unique_id "ZzgIAvA-4WHASGySwtqn9QAAANc"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.698242 2024] [:error] [pid 1330007:tid 1330042] [client 182.183.59.223:64811] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-includes/images/w-logo-blue-white-bg.png"] [unique_id "ZzgIAnBkV9IysqCAxkWtOgAAAEk"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.632827 2024] [:error] [pid 1330095:tid 1330119] [client 182.183.59.223:64803] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/favicon.ico"] [unique_id "ZzgIAvA-4WHASGySwtqn9AAAANY"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.406136 2024] [:error] [pid 1330095:tid 1330113] [client 182.183.59.223:64803] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/plugins/burst-statistics/endpoint.php"] [unique_id "ZzgIAvA-4WHASGySwtqn8wAAANA"], referer: https://karimsonline.com/
-
[Sat Nov 16 04:08:49.493070 2024] [:error] [pid 1333365:tid 1333386] [client 182.183.59.223:63036] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:21|||ep=https://fizascollection.co.uk/|||rf=(none)"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "fizascollection.co.uk"] [uri "/favicon.ico"] [unique_id "ZzgMwaSdHEb44HSsRSRFyAAAAEA"], referer: https://fizascollection.co.uk/
[Sat Nov 16 04:08:48.967452 2024] [:error] [pid 1333365:tid 1333390] [client 182.183.59.223:63036] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:21|||ep=https://fizascollection.co.uk/|||rf=(none)"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "fizascollection.co.uk"] [uri "/"] [unique_id "ZzgMwKSdHEb44HSsRSRFxwAAAEI"]
-
The problem looks like a WordPress plugin called Burst Statistics.
Disable that plugin, and see if the error goes away.
Programmers sometime use malicious code in valid programs, which can give 'false positives'.
If the error goes away, maybe check out MonsterInsights instead.
Only other option would be to disable the rule being triggered - 22_SQL_SQLi.conf
But I never recommend doing that, because it could leave the system open to attack.
-
Try to disable the mod_security rule 218500 by adding the following lines into .htaccess located in the document root of the website(s):
<IfModule mod_security2.c>
SecRuleRemoveById 218500
</IfModule>
OR
If you want to disable the rule globally (for all websites) then put the line:
SecRuleRemoveById 218500into the file:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
and then restart Apache/HTTPD.
-
yes it worked after disabling SecRuleRemoveById 218500 but comodo waf rules keep switching back to 1.240 after a while automatically. i do update to 1.241 and it showed for a while but revert back to 1.240
-
When does it happen ? After the CWP update or some other action ?
As a test update the rules, then run cwp update:
/scripts/update_cwpand then check if the rules version stay intact.
-
The ruleset version should stay the same unless you are switching back & forth between Comodo and OWASP.
ID 218500 was a bug between 1.240 with WooCommerce.
Burst Statistics must use some of the same buggy code then.
-
why comodo waf rules are not updated automatically in CWP Pro like it was updating before. since long its not updated?
-
The Comodo ruleset isn't a CWP problem.
I can't login with my UN/PW on their site for months now - waf.comodo.com (http://waf.comodo.com)
Seems like the new company who took them over want you to buy their ruleset.
They also haven't responded to emails.
So at this point I'm saying that ruleset is dead, thanks to another takeover.
-
I agree that it is dead. But the problem with Comodo being dead is that it forces most of us who use free rulesets to migrate to the only known free alternative, which is the OWASP rules.
And that certainly can't be done overnight.
And whoever wants to take on this challenge will have to do some digital juggling to get both rulesets working, putting OWASP in a log-only (no blocks) state while collecting logs and statistics to include its whitelists.
It's a medium-term problem, but it's a very serious problem, and must be worked since now.
-
I tried that juggling, and it didn't work.
There is a problem with the OWASP latest ruleset that I've notified CWP about.
I've only found 2 semi-good replacements, but both are paid:
https://malware.expert/ (https://malware.expert/)
https://atomicorp.com/modsecurity-rules/ (https://atomicorp.com/modsecurity-rules/)
And then there is course the company who bought Comodo, Xcitium. But their website doesn't even work
-
i switched back to OWASP latest rules but they are not blocking malicious attempts . i can see in logs its detecting but attempt is not blocked :-[
on the other hand comodo waf rules keeps blocking everything :-\ before last update everything was fine and comodo waf rules were the best
Yea, there is a bug CWP has been made aware of with the OWASP latest not working.
-
i switched back to OWASP latest rules but they are not blocking malicious attempts . i can see in logs its detecting but attempt is not blocked :-[
on the other hand comodo waf rules keeps blocking everything :-\ before last update everything was fine and comodo waf rules were the best
Yea, there is a bug CWP has been made aware of with the OWASP latest not working.
To avoid this, you can use the OWASP ruleset in "Anomaly Scoring Mode". Instead of blocking each rule individually, as is done in Comodo, a set of rules is evaluated and, if it reaches a certain score, only then is it blocked. This is a very powerful way of blocking. Even so, you should always analyze the ruleset, starting at level 1, the most secure in terms of no false positives, and increasing the level as you add whitelists.
There are plugins for phpMyAdmin, Roundcube and Wordpress, but they need to be tested and adapted for each case. However, it is much less work than building the exceptions from scratch.
From OWASP page:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/crs-setup.conf.example
"
The CRS can run in two modes:
#
# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.
#
# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.
"
-
I tried that juggling, and it didn't work.
There is a problem with the OWASP latest ruleset that I've notified CWP about.
I've only found 2 semi-good replacements, but both are paid:
https://malware.expert/ (https://malware.expert/)
https://atomicorp.com/modsecurity-rules/ (https://atomicorp.com/modsecurity-rules/)
And then there is course the company who bought Comodo, Xcitium. But their website doesn't even work
There is a possibility, for those who use nginx<->*<->Apache.
You can install Comodo on Apache, in normal operation mode, and OWASP on nginx, in log-only mode.
I haven't tested it yet, but it's an idea, and I'll test it very soon.
-
I've tried different ways, just can't get OWASP to talk to CSF, even using the documentation.
It 'should' work, I see it in the logs, but CSF refuses to add the IP's and send notifications.
-
I've tried different ways, just can't get OWASP to talk to CSF, even using the documentation.
It 'should' work, I see it in the logs, but CSF refuses to add the IP's and send notifications.
Are you referring to the lfd rules?
It may just be a matter of getting the regex right.
Here are some rules that work for me:
In file '/etc/csf/csf.conf':
CUSTOM4_LOG = "/usr/local/cwpsrv/logs/*_log"
In file '/usr/local/csf/bin/regex.custom.pm':
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\-\s+\-\s+\[\S+\/\S+\/\S+:\S+:\S+\s+\-\d{4}\].*\/login\/index\.php\?login\=failed/)) {
$ip = $1; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}
# CWP Failed Login Protection
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\d{4}\/\d{2}\/\d{2}\s([0-1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\s\[error\]\s\d+#\d+:\s\*\d+\suser\s\"\w+\":\spassword\smismatch,\sclient:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\sserver:\slocalhost,\srequest:\s\"(POST|GET)\s.*/)) {
$ip = $2; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}
## CWP Failed Login Protection
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\d{4}\/\d{2}\/\d{2}\s([0-1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\s\[error\]\s\d+#\d+:\s\*\d+\suser\s\"\w+\"\swas\snot\sfound\sin\s\"\/usr\/local\/cwpsrv\/conf\/htpasswd\",\sclient:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\sserver:\slocalhost,\srequest:\s\"(POST|GET)\s.*/)) {
$ip = $2; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}
-
The defaults are:
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
SUDO_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/maillog"
POP3D_LOG = "/var/log/dovecot-info.log"
IMAPD_LOG = "/var/log/dovecot-info.log"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"
WEBMIN_LOG = "/var/log/secure"
CWP_LOG = "/var/log/cwp_client_login.log"
CUSTOM1_LOG = "/var/log/cwp_client_login.log"
CUSTOM2_LOG = "/usr/local/apache/domlogs/*.log"
I followed the OWASP docs, and changed MODSEC_LOG to MODSEC_LOG = "/usr/local/apache/logs/modsec_audit.log"
When that failed, I added it to the next empty custom entry CUSTOM3_LOG, still no joy.
I've put another paid ticket in to CWP.
They argued the last ticket that didn't solve the problem was closed as being 'resolved'
What's weird is that the OWASP old ruleset works OK, but if you select OWASP latest it breaks everything.
You still see it stop attacks if your view the ModSecurity log.
Just added "/usr/local/cwpsrv/logs/*_log" to CUSTOM3_LOG, which was empty.
Will see if that works.
Also have a virtual meeting with Xcitium (company who bought Comodo) next week, to find out what there plans are for the future of that ruleset.
Because of right now it's dead.
Hopefully this will get resolved.
I'm not sure about anyone else, but this simple thing has turned into a large cluster.
-
The defaults are:
(...)
What's weird is that the OWASP old ruleset works OK, but if you select OWASP latest it breaks everything.
You still see it stop attacks if your view the ModSecurity log.
What is your corerulet version, ModSecurity version, and ModSecurity-nginx version?
(...)
Just added "/usr/local/cwpsrv/logs/*_log" to CUSTOM3_LOG, which was empty.
Will see if that works.
Must be noted here too, that the OWASP rules I have posted will work with CWP because is based in 'nginx' server(see the path is /usr/local/cwpsrv/logs/), that will work only with ModSecurity 3.0.x and ModSecurity-nginx connector v1.0.3-24-gef64996. I have placed an issue in ModSecurity-nginx website, because for some reason, it is not working with newer versions, and that bug is opened up to this date.
Also have a virtual meeting with Xcitium (company who bought Comodo) next week, to find out what there plans are for the future of that ruleset.
Because of right now it's dead.
Hopefully this will get resolved.
I'm not sure about anyone else, but this simple thing has turned into a large cluster.
Very, very good.
This is what we need, a few simple impressions for that company, to not begin a coding marathon to workaround the problem.
-
We use Apache, and not Nginx.
There is more script support for Apache, and the performance benefit of Nginx is negatable.
OWASP old & Comodo both work fine, which is the odd thing.
If Xcitium did kill the free Comodo ruleset, that only leave OWASP of being free for users to choose.
-
I suppose a year is the breakpoint to say that Comodo WAF is dead. It might just be something Xcitium is neglecting in favor of their enterprise products (more lucrative). Time to press on...
-
Well looks like I got OWASP ruleset 4.11.0 working OK with ModSecurity on AL9.
Which is good, considering I activated it on a live production server, after I noticed I wasn't logged into my test box on my desk. :-[
I'll be posting a KB article later today.
But yea, when they split the company both halves started offering their own paid 'ruleset'.
The 'new' endpoint doesn't see CWP, only cPanel, DA, and Plesk and installs as a standalone, which doesn't play well with CWP.
-
Morning Y'all.
Have 2 new KB Articles on how to update ModSecurity for Apache in CWP under AL8 & AL9 and use the latest OWASP CRS ruleset:
https://kb.starburstservices.com/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-modsecurity-running-cwp-and-apache-on-almalinux-8-9/ (https://kb.starburstservices.com/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-modsecurity-running-cwp-and-apache-on-almalinux-8-9/)
https://kb.starburstservices.com/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-to-owasp-crs-ruleset-running-cwp-and-apache-on-almalinux-8-9/ (https://kb.starburstservices.com/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-to-owasp-crs-ruleset-running-cwp-and-apache-on-almalinux-8-9/)
Any feedback, let me know.
-
Appreciated, keep 'em coming!
-
And it works for both CWPfree and CWPpro. ;D
-
And it works for both CWPfree and CWPpro. ;D
Hi,
it really works... :)
When I replaced the line "/usr/local/apache/modsecurity-owasp-latest/coreruleset-4.11.0/owasp.conf" when updating the rules, in the configuration file it is in red, I guess it should be like this?
With the two ModSecurity and the rules updates, could I do something in the future to update them, check their sites, and follow similar steps?
BR
Venty
-
The only thing left is to:
nano crs-setup.conf
# SecDefaultAction "phase:1,log,auditlog,pass"
# SecDefaultAction "phase:2,log,auditlog,pass"
Uncomment:
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
-
The only thing left is to:
nano crs-setup.conf
# SecDefaultAction "phase:1,log,auditlog,pass"
# SecDefaultAction "phase:2,log,auditlog,pass"
Uncomment:
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
Hi,
thank you very much....
and that's all, will they update?
BR
Venty
-
The other never auto updated either for some reason, but this manually update won't.
Path names would all change to the new version, so I'm not sure how a script might do this or not.