:):):) Comodo WAF rules update required :):):)

The Comodo fix was for WooCommerce.

What Rule does WAF show is being triggered by WordPress.

Haven't seen any conflict with Comodo and WordPress on AL8 or AL9.

The Comodo fix was for WooCommerce.

What Rule does WAF show is being triggered by WordPress.

Haven't seen any conflict with Comodo and WordPress on AL8 or AL9.

i am using AlmaLinux 9 with comodo waf rules that you shared i.e. Installed version: 1.241

its blocking all wordpress websites , only main page is opened and if i click on any other link or page on site it blocks, see below logs if you can figure out whats wrong


[Sat Nov 16 03:50:54.257704 2024] [:error] [pid 1330522:tid 1330564] [client 182.183.59.223:64832] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/plugins/burst-statistics/endpoint.php"] [unique_id "ZzgIjkgvZjUGsoby_ov1fQAAAIQ"], referer: https://karimsonline.com/
[Sat Nov 16 03:50:54.020822 2024] [:error] [pid 1330522:tid 1330563] [client 182.183.59.223:64832] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/"] [unique_id "ZzgIjkgvZjUGsoby_ov1fAAAAIM"], referer: https://karimsonline.com/
[Sat Nov 16 03:50:52.725801 2024] [:error] [pid 1330522:tid 1330562] [client 182.183.59.223:64832] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/"] [unique_id "ZzgIjEgvZjUGsoby_ov1ewAAAII"], referer: https://karimsonline.com/
[Sat Nov 16 03:50:46.468741 2024] [:error] [pid 1330502:tid 1330505] [client 182.183.59.223:64830] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/blog/"] [unique_id "ZzgIhpCaZKKW28uOR-L7sQAAAAA"]
[Sat Nov 16 03:48:36.874131 2024] [:error] [pid 1330019:tid 1330074] [client 182.183.59.223:64816] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/plugins/burst-statistics/endpoint.php"] [unique_id "ZzgIBLel4_HzjjsBKm1tKwAAAIo"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:36.672057 2024] [:error] [pid 1330019:tid 1330064] [client 182.183.59.223:64816] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/blog/"] [unique_id "ZzgIBLel4_HzjjsBKm1tKgAAAIA"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:35.337429 2024] [:error] [pid 1330095:tid 1330097] [client 182.183.59.223:64812] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/uploads/2024/07/WhatsApp-Video-2024-07-03-at-1.45.39-PM.mp4"] [unique_id "ZzgIA_A-4WHASGySwtqn9gAAAMA"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.872764 2024] [:error] [pid 1330019:tid 1330072] [client 182.183.59.223:64816] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/uploads/elementor/css/post-8371.css"] [unique_id "ZzgIArel4_HzjjsBKm1tKQAAAIg"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.846642 2024] [:error] [pid 1330095:tid 1330120] [client 182.183.59.223:64812] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/"] [unique_id "ZzgIAvA-4WHASGySwtqn9QAAANc"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.698242 2024] [:error] [pid 1330007:tid 1330042] [client 182.183.59.223:64811] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-includes/images/w-logo-blue-white-bg.png"] [unique_id "ZzgIAnBkV9IysqCAxkWtOgAAAEk"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.632827 2024] [:error] [pid 1330095:tid 1330119] [client 182.183.59.223:64803] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/favicon.ico"] [unique_id "ZzgIAvA-4WHASGySwtqn9AAAANY"], referer: https://karimsonline.com/
[Sat Nov 16 03:48:34.406136 2024] [:error] [pid 1330095:tid 1330113] [client 182.183.59.223:64803] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(??:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(??:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||karimsonline.com|F|2"] [data "Matched Data: |||rf=(none) found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:33|||ep=https:/karimsonline.com/|||rf=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "karimsonline.com"] [uri "/wp-content/plugins/burst-statistics/endpoint.php"] [unique_id "ZzgIAvA-4WHASGySwtqn8wAAANA"], referer: https://karimsonline.com/

[Sat Nov 16 04:08:49.493070 2024] [:error] [pid 1333365:tid 1333386] [client 182.183.59.223:63036] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(??:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:21|||ep=https://fizascollection.co.uk/|||rf=(none)"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "fizascollection.co.uk"] [uri "/favicon.ico"] [unique_id "ZzgMwaSdHEb44HSsRSRFyAAAAEA"], referer: https://fizascollection.co.uk/
[Sat Nov 16 04:08:48.967452 2024] [:error] [pid 1333365:tid 1333390] [client 182.183.59.223:63036] [client 182.183.59.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(??:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:sbjs_current_add. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:sbjs_current_add: fd=2024-11-16 02:48:21|||ep=https://fizascollection.co.uk/|||rf=(none)"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "fizascollection.co.uk"] [uri "/"] [unique_id "ZzgMwKSdHEb44HSsRSRFxwAAAEI"]

The problem looks like a WordPress plugin called Burst Statistics.

Disable that plugin, and see if the error goes away.
Programmers sometime use malicious code in valid programs, which can give 'false positives'.

If the error goes away, maybe check out MonsterInsights instead.

Only other option would be to disable the rule being triggered - 22_SQL_SQLi.conf

But I never recommend doing that, because it could leave the system open to attack.

Try to disable the mod_security rule 218500 by adding the following lines into .htaccess located in the document root of the website(s):

Code: [Select]

<IfModule mod_security2.c>
    SecRuleRemoveById 218500
</IfModule>

OR

If you want to disable the rule globally (for all websites) then put the line:

Code: [Select]

SecRuleRemoveById 218500into the file:

/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

and then restart Apache/HTTPD.

yes it worked after disabling SecRuleRemoveById 218500 but comodo waf rules keep switching back to 1.240 after a while automatically. i do update to 1.241 and it showed for a while but revert back to 1.240 

When does it happen ? After the CWP update or some other action ?

As a test update the rules, then run cwp update:

Code: [Select]

/scripts/update_cwpand then check if the rules version stay intact.

The ruleset version should stay the same unless you are switching back & forth between Comodo and OWASP.

ID 218500 was a bug between 1.240 with WooCommerce.
Burst Statistics must use some of the same buggy code then.