:):):) Comodo WAF rules update required :):):)

I've tried different ways, just can't get OWASP to talk to CSF, even using the documentation.
It 'should' work, I see it in the logs, but CSF refuses to add the IP's and send notifications.

I've tried different ways, just can't get OWASP to talk to CSF, even using the documentation.
It 'should' work, I see it in the logs, but CSF refuses to add the IP's and send notifications.

Are you referring to the lfd rules?
It may just be a matter of getting the regex right.

Here are some rules that work for me:
In file '/etc/csf/csf.conf':

Code: [Select]

CUSTOM4_LOG = "/usr/local/cwpsrv/logs/*_log"
In file '/usr/local/csf/bin/regex.custom.pm':

Code: [Select]

if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\-\s+\-\s+\[\S+\/\S+\/\S+:\S+:\S+\s+\-\d{4}\].*\/login\/index\.php\?login\=failed/)) {
$ip = $1; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}

# CWP Failed Login Protection
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\d{4}\/\d{2}\/\d{2}\s([0-1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\s\[error\]\s\d+#\d+:\s\*\d+\suser\s\"\w+\":\spassword\smismatch,\sclient:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\sserver:\slocalhost,\srequest:\s\"(POST|GET)\s.*/)) {
$ip = $2; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}

## CWP Failed Login Protection
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\d{4}\/\d{2}\/\d{2}\s([0-1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\s\[error\]\s\d+#\d+:\s\*\d+\suser\s\"\w+\"\swas\snot\sfound\sin\s\"\/usr\/local\/cwpsrv\/conf\/htpasswd\",\sclient:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\sserver:\slocalhost,\srequest:\s\"(POST|GET)\s.*/)) {
$ip = $2; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}


The defaults are:

HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
SUDO_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/maillog"
POP3D_LOG = "/var/log/dovecot-info.log"
IMAPD_LOG = "/var/log/dovecot-info.log"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"
WEBMIN_LOG = "/var/log/secure"
CWP_LOG = "/var/log/cwp_client_login.log"

CUSTOM1_LOG = "/var/log/cwp_client_login.log"
CUSTOM2_LOG = "/usr/local/apache/domlogs/*.log"

I followed the OWASP docs, and changed MODSEC_LOG to MODSEC_LOG = "/usr/local/apache/logs/modsec_audit.log"
When that failed, I added it to the next empty custom entry CUSTOM3_LOG, still no joy.

I've put another paid ticket in to CWP.
They argued the last ticket that didn't solve the problem was closed as being 'resolved'

What's weird is that the OWASP old ruleset works OK, but if you select OWASP latest it breaks everything.
You still see it stop attacks if your view the ModSecurity log.

Just added "/usr/local/cwpsrv/logs/*_log" to CUSTOM3_LOG, which was empty.
Will see if that works.

Also have a virtual meeting with Xcitium (company who bought Comodo) next week, to find out what there plans are for the future of that ruleset.
Because of right now it's dead.

Hopefully this will get resolved.

I'm not sure about anyone else, but this simple thing has turned into a large cluster.

The defaults are:
(...)
What's weird is that the OWASP old ruleset works OK, but if you select OWASP latest it breaks everything.
You still see it stop attacks if your view the ModSecurity log.

What is your corerulet version, ModSecurity version, and ModSecurity-nginx version?

(...)
Just added "/usr/local/cwpsrv/logs/*_log" to CUSTOM3_LOG, which was empty.
Will see if that works.

Must be noted here too, that the OWASP rules I have posted will work with CWP because is based in 'nginx' server(see the path is /usr/local/cwpsrv/logs/), that will work only with ModSecurity 3.0.x and ModSecurity-nginx connector v1.0.3-24-gef64996. I have placed an issue in ModSecurity-nginx website, because for some reason, it is not working with newer versions, and that bug is opened up to this date.

Also have a virtual meeting with Xcitium (company who bought Comodo) next week, to find out what there plans are for the future of that ruleset.
Because of right now it's dead.

Hopefully this will get resolved.

I'm not sure about anyone else, but this simple thing has turned into a large cluster.

Very, very good.
This is what we need, a few simple impressions for that company, to not begin a coding marathon to workaround the problem.

We use Apache, and not Nginx.

There is more script support for Apache, and the performance benefit of Nginx is negatable.

OWASP old & Comodo both work fine, which is the odd thing.

If Xcitium did kill the free Comodo ruleset, that only leave OWASP of being free for users to choose.

I suppose a year is the breakpoint to say that Comodo WAF is dead. It might just be something Xcitium is neglecting in favor of their enterprise products (more lucrative). Time to press on...

Well looks like I got OWASP ruleset 4.11.0 working OK with ModSecurity on AL9.

Which is good, considering I activated it on a live production server, after I noticed I wasn't logged into my test box on my desk.   

I'll be posting a KB article later today.

But yea, when they split the company both halves started offering their own paid  'ruleset'.
The 'new' endpoint doesn't see CWP, only cPanel, DA, and Plesk and installs as a standalone, which doesn't play well with CWP.