Seems you have CWAF rules installed as cPanel Vendor.
Unfortunately, this install type not supported convenient exclude management.
Following entries are disabled by default during install as Plugin:
CATEGORY-Bruteforce - because broken implementation of persistent storage in current version of mod_security
CATEGORY-Outgoing - because of great amount of False Positives related with these rules
GROUP-Incoming - because it use OSVDB and Comodo is not responsible for this source of vulnerabilities
GROUP-HTTPDoS - because a lot of False Positives
This affect following entries in cPanel Vendor install and they recommended for disabling:
05_Global_Incoming.conf
09_Bruteforce_Bruteforce.conf
11_HTTP_HTTPDoS.conf
14_Outgoing_FilterGen.conf
15_Outgoing_FilterASP.conf
16_Outgoing_FilterPHP.conf
17_Outgoing_FilterIIS.conf
18_Outgoing_FilterSQL.conf
19_Outgoing_FilterOther.conf
20_Outgoing_FilterInFrame.conf
21_Outgoing_FiltersEnd.conf
Mozilla/4.0 ([u][b]compatible ; MSIE[/b][/u] 9.11.9600.17914 ; Microsoft Windows 7 Professional Service Pack 1 ; Placeware RPC 1.0)
As you can see you have additional space symbol between "compatible" word and semicolon. It is unusual behavior for IE, check if you have any plugin which can modify user agent string and try to disable it. You can find correct IE user agents here: http://www.useragentstring.com/pages/Internet%20Explorer/
Please take a check on this rule!
We’re getting a storm of support because of pictures not loading and customers getting blocked in our csf firewall.
And because of that I wanted to disable this rule on all servers…But Comodo WAF cannot find the rule ID 210831.
It does however find rule ID 210830, but we have that turned off already. But customers are getting blocked because of rule 210831 that does not exist!
Rule 210831 is ‘child’ rule of 210830, so it have to be automatically turned off with turning rule 210830 off.
If it not turned off automatically please try to turn on and then off its ‘parent’ rule 210830
This can be done in plugin ‘Catalog’ tab:
This message means User-Agent of client trying to access your server found in list of blocked agents. Usually this is security scanners like Nikto, OpenVAS, Net Stalker etc.
If you want to allow this client to connect to you server please add its useragent string to file userdata_wl_agents
This can be also be done with help of plugin: ‘Userdata’ tab, ‘Whitelisted Agents’ text field
Client use a plugin called “vaultpress” to do backup and restore for their wordpress site. The backup was blocked by the mod_sec rule “211190”. This problem seems new, for me, it looks like legitimate. However, I am not willing to whitelist this rule since I do see it also blocked other hack attempts.
The vaultpress was built by Automattic which is the company operates wordpress.com, so I do trust them. Can you adjust the rule to avoid blocking vaultpress?
False positive on Quform for wordpress, please fix
-c4c29e02-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" at ARGS:iphorm_3_64. [file "/usr/local/cwaf/rules/23_SQL_SQLi.conf"] [line "24"] [id "211580"] [msg "COMODO WAF: SQL Injection Attack"] [data "Matched Data: and 65 found within ARGS:iphorm_3_64: We are both senior citizens, 70 and 65 years of age. We do not use any aids but try to avoid steep climbs. We are fully mobile."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1445457313422510 36569 (- - -)
Stopwatch2: 1445457313422510 36569; combined=23537, p1=765, p2=22709, p3=0, p4=0, p5=61, sr=106, sw=2, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.2.15
Engine-Mode: "ENABLED"
I have a form with several fields and I think the text inserted in message area resulted in a false posite for a sql injection. I guess it was the number “65” inserted in the form text area that triggered the block. I had to disable rule ID 211580.
It seems it doesn´t accept any numbers in quform text area
We have the same issue with the Typo3 7.5.0 while saving configuration of installtool.
We’re using the rules version 1.50 (we haven’t yet updated to the 1.51).
Here’s the logs