Please, specify these following fields when you submit False-Positive.
False-Positive RuleId
Web application + version
Request headers or at least debug log
You can mask some private data, but it is highly recommended that you specify ALL three fields.
Thank you.
1.210710
2. owncloud-6.0.3-6.1
3. Sun Jun 08 15:05:32 2014] [error] [client xxxxx] ModSecurity: Access denied with code 403 (phase 1). Match of “rx ^%{tx.allowed_request_content_type}$” against “TX:0” required. [file “/opt/comodo/cwaf/rules/cwaf_01.conf”] [line “427”] [id “210710”] [msg “COMODO WAF: Request content type is not allowed by policy”] [data “application/octet-stream”] [severity “CRITICAL”] [hostname"] [uri “/remote.php/webdav/aaa.zip”] [unique_id “U5RfnDJ1B6wAAE1zL1AAAAAD”]
I have tried to exclude it with /opt/comodo/cwaf/etc/httpd/global/zzz_exclude_global.conf
<LocationMatch .*>
SecRuleRemoveById 210710
<DirectoryMatch ‘^/remote.php/webdav/’>
SecRuleEngine Off
Doesnt work
Will be fixed with next update.
211570
WHMCS Ver. 5.3.7
Request headers or at least debug log -
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3932
Message: Access denied with code 403 (phase 2). Pattern match “(?i:\b(?i:x{0,1}or)\b[\t\n\r ]{1,}(‘[^=]{1,10}’|[0-9]{1,10})[\t\n\r ]{0,}?[<=>]|\bor\b {0,1}(?:["‘][^=]{1,10}["’]|[0-9]{1,10}) {0,1}[<=>]{1,}|\b(?i:x{0,1}or)\b[\t\n\r ]{1,}(‘[^=]{1,10}’|[0-9]{1,10})|(?i:'[\t\n\r ]{1,}x{0,1}or[\t\n …” at ARGS:description. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “301”] [id “211570”] [msg “COMODO WAF: SQL Injection Attack”] [data “Matched Data: or 56 found within ARGS:description:
\x0d\x0a Upto 256-bit encryption \x0d\x0a Highest Browser Recognition in the industry \x0d\x0a Automatic step-up for older browsers \x0d\x0a Stringent Business Verification \x0d\x0a Issued within 2 days \x0d\x0a Thawte Trusted Site Seal \x0d\x0a Unlimited Free Reissues \x0d\x0a Supports IDN \x0d\x0a Supports SGC and step-up Technology \x0d\x0a \x0d\x0a
It offers al…”] [severity “CRITICAL”]
Action: Intercepted (phase 2)
Stopwatch:
Stopwatch2:
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/ ); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: “ENABLED”
toenu
June 18, 2014, 2:25pm
5
we ran into this false positive several times:
[Wed Jun 18 16:07:02 2014] [error] [client XX.XX.XX.XX] ModSecurity: Access denied with code 503 (phase 2). Match of "rx ^\\\\d+px$" against "ARGS:width" required. [file "/path/to/cwaf-rules/cwaf_05.conf"] [line "1171"] [id "220620"] [msg "COMODO WAF: found CVE-2013-5963"] [hostname "domain.com"] [uri "/home/wp-admin/admin-ajax.php"]
False Positive for WHMCS 5.3.7
1.) 213070
2.) WHMCS 5.3.7
3.)
Specifically on saving the https://domain.com/whmcs/configgeneral.php file
–0ccd566b-F–
HTTP/1.1 403 Forbidden
Content-Length: 344
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
–0ccd566b-H–
Message: Access denied with code 403 (phase 2). Pattern match “(?i:["'][ ]{0,}(([^a-z0-9 ':_~])|(in)).{0,}?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))|((o|(\\u006F))(n|( …” at ARGS:emailglobalheader. [file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1093”] [id “213070”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”] [data “Matched Data: \x22{$company_domain}\x22 target=\x22_blank\x22><img src=\x22{$company_logo_url}\x22 alt=\x22{$company_name}\x22 border= found within ARGS:emailglobalheader:
”]
Action: Intercepted (phase 2)
Stopwatch: 1408063464225154 133149 (- - -)
Stopwatch2: 1408063464225154 133149; combined=84839, p1=300, p2=84445, p3=0, p4=0, p5=57, sr=50, sw=37, l=0, gc=0
Producer: ModSecurity for Apache/2.7.7 (
http://www.modsecurity.org/ ); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: “ENABLED”
The easiest way to avoid false-positive errors is excluding the rules:
Plugins - Comodo WAF - Userdata - Custom Rules
SecRuleRemoveById 211570 211750 211790 etc
save and restart apache.
If you don’t use Cpanel, just write
SecRuleRemoveById 211570 211750 211790 etc
in /<path_to_cwaf>/cwaf/etc/httpd/custom_user.conf
save and restart apache.
JulesR
August 27, 2014, 4:05pm
9
What a useless response. We know how to disable rules, the entire purpose of this thread is to REPORT the ones that are false positives.
Are you acknowledging these reports and planning to fix them or not?
JulesR
August 28, 2014, 8:54am
10
210800
Unknown.
www.clientdomain client.ip 210800 [28/Aug/2014:03:46:48 +0000]
Access denied with code 403, [Rule: ‘REQUEST_HEADERS:User-Agent’ ‘@pmFromFile bl_scanners’] [id “210800”] [msg “COMODO WAF: Request Indicates a Security Scanner Scanned the Site”] [severity “CRITICAL”] [MatchedString “maparoscopy-bmnefits-150i150.jmg5os9xc6d=5157or/admgn/edit.php/bacfronds/1.p”]
[28/Aug/2014:03:46:48 +0000] - client.ip 55758 server.ip:80 80
–3038b690-B–
GET /wp-content/uploads/2014/08/Laparoscopy-Benefits-150x150.jpg HTTP/1.1
Host: www.clientdomain
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: image/png,image/;q=0.8, /*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.clientdomain/wp-admin/post.php?post=12&action=edit
Cookie: __utma=2625461.1060887636.1370225041.1409186676.1409197476.102; __utmz=2625461.1386038835.21.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26editor%3Dtinymce%26libraryContent%3Dbrowse%26urlbutton%3Dnone%26imgsize%3Dmedium%26wplink%3D1%26ed_size%3D473%26align%3Dnone%26advImgDetails%3Dshow; wp-settings-time-1=1409197572; wp-settings-time-5=1396490878; __utmc=2625461; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_68a9cfa0c6c32b3ba4523393dcde5701=admin%7C1410396318%7C954fc7b0d807f35875ce8b366531e67e; __utmb=2625461.6.10.1409197476
Connection: keep-alive
–3038b690-F–
HTTP/1.1 403 Forbidden
–3038b690-H–
Message: Access denied with code 403, [Rule: ‘REQUEST_HEADERS:User-Agent’ ‘@pmFromFile bl_scanners’] [id “210800”] [msg “COMODO WAF: Request Indicates a Security Scanner Scanned the Site”] [severity “CRITICAL”] [MatchedString “maparoscopy-bmnefits-150i150.jmg5os9xc6d=5157or/admgn/edit.php/bacfronds/1.p”]
I have two reports below. I apologize for the lack of info, but I just wanted to get something on record.
===========================================
Unknown
Miva Merchant 5.5
Production Release 8 Update 12
Miva Merchant Engine v5.20
http://mivamerchant.com
Unknown
The logs/modsec_audit.log is rotated daily, so I missed the log entries of the false positives. But I know they existed because I was getting reports of issues on these applications and when I disabled WAF on the domains running these applications the errors stopped immediately.
============================
Unknown
ExpressionEngine
ExpressionEngine — The Best Open Source CMS
Unknown
Same issues with the logs having rotated before I could gather the data, unfortunately.
webwzrd
September 11, 2014, 1:07am
12
211170
SMF 2.0.8
Some Simple Forum members are getting blocked from logging in by this:
ModSecurity: [file “/etc/httpd/modsecurity.d/cwaf_02.conf”] [line “176”] [id “211170”] [msg “COMODO WAF: Session Fixation”] [data “Matched Data: http://www.domainName.com/ found within TX:1: www.domainName.com ”] [severity “CRITICAL”] Access denied with code 403 (phase 2). Match of “beginsWith %{request_headers.host}” against “TX:1” required. [hostname “domainName.com ”] [uri “/forum/index.php”] [unique_id “VBDqUkE8MfIAAFWH5QEAAAAH”]
Please advise.
webwzrd
September 19, 2014, 1:54pm
13
Here’s a couple more.
214540 &214940
Joomla 2.5 while trying to access dtregister from admin
ModSecurity: [file “/etc/httpd/modsecurity.d/cwaf_04.conf”] [line “325”] [id “214540”] [msg “COMODO WAF: Possibly malicious iframe tag in output”] [data “Matched Data: <iframe id=\x22google_externalSite\x22 class=\x22google_externalSite\x22 name=\x22google_externalSite\x22 src=\x22\x22 style=\x22display:none found within RESPONSE_BODY: \x0a\x0a\x0a <meta http-equiv=\x22content-type\x22 content=\x22text/html; cha…”] [severity “ERROR”] Access denied with code 403 (phase 4). Pattern match “<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\”']{0,1}[^a-zA-Z0-9_]{0,}?\\bdisplay\\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\\bnone\\b" at RESPONSE_BODY. [hostname “www.domainName.com ”] [uri “/administrator/index.php”] [unique_id “VBwzEriaLzIAADep51sAAAAB”]
ModSecurity: [file “/etc/httpd/modsecurity.d/cwaf_04.conf”] [line “581”] [id “214940”] [msg “COMODO WAF: Outbound Points Exceeded (points 4)”] Warning. Operator GE matched 4 at TX:outgoing_points. [hostname “www.domainName.com ”] [uri “/administrator/index.php”] [unique_id “VBwzEriaLzIAADep51sAAAAB”]
JulesR
November 6, 2014, 2:25pm
14
Vaultpress for Wordpress:
–44f5c96f-A–
[19/Aug/2014:01:11:48 +0000] - 207.198.112.23 52575 xxx.xxx.xxx.xxx:80 80
–44f5c96f-B–
POST /wp-load.php?vaultpress=true&action=ZXhlYw&doing_wp_cron=&wp-admin=&vector=1408410708.3984&ge=1 HTTP/1.1
User-Agent: Automattic/VaultPress/0.1
Host: www.hidden.tld
Accept: /
Accept-Encoding: gzip
Content-Length: 899
Content-Type: multipart/form-data; boundary=------------------------5798377f1bdb8670
–44f5c96f-F–
HTTP/1.1 403 Forbidden
–44f5c96f-H–
Message: Blocked , [Rule: ‘ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:html_message’ ‘(alert|eval|fromcharcode)[\t\n\r ]{0,}(’] [id “212790”] [msg “COMODO WAF: XSS Attack Detected”] [severity “WARNING”] [MatchedString “$b=“bas”; $b.=“e64_d”; $b.=“ecode”; return @eval ( $b( “cmv0dxjuicr3cgrilt5nzxrfcmvzdwx0cyggilnftevdvcbkyxrlkcbgy29tbwvudf9kyxrlycapieftigbjb21tzw50x2rhdgvgicwgag91ciggygnvbw1lbnrfzgf0zwagksbbuybgy29tbwvudf9ob3vyycasigbjb21tzw50x2fwchjvdmvkycasignvdw50kcbgy29tbwvudf9jrgagksbbuybgy291bnrgiezst00gjhdwzgitpmnvbw1lbnrzifdirvjfigbjb21tzw50x2fwchjvdmvkycahpsanc3bhbscgqu5eignvbw1lbnrfzgf0zsa+icbeqvrfx1nvqihub3cokswgsu5urvjwquwgnjugrefzksbhuk9vucbcwsbkyxrlkcbgy29tbwvudf9kyxrlycapicwgag91ciggygnvbw1lbnrfzgf0zwagksasigbjb21tzw50x2fwchjvdmvkycbmsu1jvcaxmdawie9grlnfvcaxmdawiiapow==” ) );”]
–44f5c96f-Z–
webjive
November 17, 2014, 4:16pm
15
Rule 212740 is producing a false positive after the rules update to 1.2.1. We can no longer use the Joomla article preview option from the backend for our client websites. The plugin triggering this is Regular Labs - Extensions for Joomla! - Regular Labs
2014-11-17 10:07:01 spectrat.webjiveclient.com 104.177.44.44 403 POST /index.php?option=com_content&view=article&id=27&yeepreview=1
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/images/jpgs/araero.jpg”] [unique_id “VGodK63BEzIAAHFGXGYAAAAA”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/images/jpgs/araero.jpg”] [unique_id “VGodK63BEzIAAHFGXGYAAAAA”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/plugins/system/jcemediabox/themes/standard/popup.html”] [unique_id “VGodK63BEzIAAGdM5MkAAAAQ”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/plugins/system/jcemediabox/themes/standard/popup.html”] [unique_id “VGodK63BEzIAAGdM5MkAAAAQ”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/plugins/system/jcemediabox/themes/standard/tooltip.html”] [unique_id “VGodK63BEzIAAHBsUJMAAAAT”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/plugins/system/jcemediabox/themes/standard/tooltip.html”] [unique_id “VGodK63BEzIAAHBsUJMAAAAT”]
TDmitry
January 8, 2015, 11:43am
16
Rule 212740 is producing a false positive after the rules update to 1.2.1. We can no longer use the Joomla article preview option from the backend for our client websites. The plugin triggering this is Regular Labs - Extensions for Joomla! - Regular Labs
2014-11-17 10:07:01 spectrat.webjiveclient.com 104.177.44.44 403 POST /index.php?option=com_content&view=article&id=27&yeepreview=1
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/images/jpgs/araero.jpg”] [unique_id “VGodK63BEzIAAHFGXGYAAAAA”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/images/jpgs/araero.jpg”] [unique_id “VGodK63BEzIAAHFGXGYAAAAA”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/plugins/system/jcemediabox/themes/standard/popup.html”] [unique_id “VGodK63BEzIAAGdM5MkAAAAQ”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/plugins/system/jcemediabox/themes/standard/popup.html”] [unique_id “VGodK63BEzIAAGdM5MkAAAAQ”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/plugins/system/jcemediabox/themes/standard/tooltip.html”] [unique_id “VGodK63BEzIAAHBsUJMAAAAT”]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62”). Use SecDataDir to define data directory first. [hostname “spectrat.webjiveclient.com ”] [uri “/plugins/system/jcemediabox/themes/standard/tooltip.html”] [unique_id “VGodK63BEzIAAHBsUJMAAAAT”]
Possibly you have to define “SecDataDir …” at you modsecurity config files.
ozsup
February 2, 2015, 7:27am
17
LiteSpeed environment.
The below is the kickstart.php file used for the Joomla Akeeba backup service.
2015-02-02 17:50:27.010 [NOTICE] [192.168.5.71:16550-0#APVH_domain.org] mod_security rule triggered!
[Mon Feb 2 17:50:27 2015] [error] [client 192.168.5.71] ModSecurity: Access denied with code 403, [Rule: ‘ARGS|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!ARGS:info’ ‘(?i)([\s"’`;/0-9=]+on\w+\s*=)'] [id “212010”] [msg “COMODO WAF: XSS Filter - Category 2: Event Handler Vector”]
2015-02-02 17:50:27.010 [NOTICE] [192.168.5.71:16550-0#APVH_domain.org] Content len: 4907, Request line: ‘POST /kickstart.php HTTP/1.1’
2015-02-02 17:50:27.010 [INFO] [192.168.5.71:16550-0#APVH_domain.org] Cookie len: 65, 58bf0dd96a6bfc0a451f0be607c88ba5=e78fc17bdc12fb5a55cb351442a34e78
2015-02-02 17:50:27.010 [INFO] [192.168.5.71:16550-0#APVH_domain.org] File not found [/home/account/public_html/403.shtml]
Hedloff
February 9, 2015, 8:48am
18
We got issues on the bruteforce rule on wordpress on all litespeed servers. Even if we disable the rule, it still causes issues:
230000: COMODO WAF: Brute Force Attack Identified from %{tx.real_ip} (%{tx.brute_force_block_counter} hits since last alert)
It gives a Warning (403) error for all users.
Anyone else with same problem?
We’re using latest Litespeed/cPanel: 4.2.21 Enterprise / WHM 11.48.0 (build 9).
This shows in modsecurity tools log in whm.
Rule iD 212000 , 212620 , 212870 , 212890 give false positive for adsense code when added via a post form .
xanubi
February 26, 2015, 4:32pm
20
#1
FALSE POSITIVE on a Drupal Script:
221970: COMODO WAF: Reflected XSS attack (CVE-2014-5022)
Request: POST /?q=node/add/noticias
Action Description: Access denied with code 403 (phase 2).
Justification: String match "<" at ARGS_POST:body[und][0][value].