1.11 rule 210700 - False positive and cannot disable???

Whitelist Config:

<LocationMatch .*>
SecRuleRemoveById 210700

<DirectoryMatch ‘^/remote.php/webdav/’>
SecRuleEngine Off

Modesec2 config:

LoadFile /opt/xml2/lib/libxml2.so

LoadFile /opt/lua/lib/liblua.so

LoadModule security2_module modules/mod_security2.so

SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 0
SecRequestBodyAccess On
SecDataDir /tmp
SecTmpDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Include “/var/cpanel/cwaf/etc/cwaf.conf”
Include “/usr/local/apache/conf/modsec2.user.conf”
Include “/usr/local/apache/conf/modsec2.whitelist.conf”

Still getting errors on the log about this rule, that should be disabled:

xpto.ptws.net xxx.xxx.xxx.xxx 210700 [30/May/2014:13:02:28 +0100]
Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “408”] [id “210700”] [msg “COMODO WAF: Method is not allowed by policy”] [data “PROPFIND”] [severity “CRITICAL”]
xpto.ptws.net 1xxx.xxx.xxx.xxx 210700 [30/May/2014:13:02:23 +0100]
Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “408”] [id “210700”] [msg “COMODO WAF: Method is not allowed by policy”] [data “PROPFIND”] [severity “CRITICAL”]
xpto.ptws.net xxx.xxx.xxx.xxx 210700 [30/May/2014:13:02:18 +0100]
Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “408”] [id “210700”] [msg “COMODO WAF: Method is not allowed by policy”] [data “PROPFIND”] [severity “CRITICAL”]
xpto.ptws.net xxx.xxx.xxx.xxx 210700 [30/May/2014:13:02:13 +0100]
Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “408”] [id “210700”] [msg “COMODO WAF: Method is not allowed by policy”] [data “PROPFIND”] [severity “CRITICAL”]
xpto.ptws.net xxx.xxx.xxx.xxx 210700 [30/May/2014:13:02:07 +0100]
Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “408”] [id “210700”] [msg “COMODO WAF: Method is not allowed by policy”] [data “PROPFIND”] [severity “CRITICAL”]

We need help to solve this issue!!!

Regards

Your config seems ok, but I doubt about this:
Include “/usr/local/apache/conf/modsec2.user.conf”
Include “/usr/local/apache/conf/modsec2.whitelist.conf”

Try to remove/comment these lines from Modsec2 config and add following to /var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf

<LocationMatch .*>
SecRuleRemoveById 210700

Restart apache.

Or show us modsec2.user.conf and modsec2.whitelist.conf content. Also we are not sure DirectoryMatch will work. Here is another method to disable rules:

https://www.atomicorp.com/wiki/index.php/Mod_security

If this not work, you can add WebDAV methods to /var/cpanel/cwaf/rules/cwaf_01.conf

Search for
setvar:‘tx.allowed_methods=GET HEAD POST OPTIONS’

and add required.

Content of zzz_exclude_global.conf

Created by CWAF management application

Note! This file may be modified and any manual changes may be lost!

Date: 30/05/14 11:57:23 UTC

category: Global

<LocationMatch .*>
SecRuleRemoveById 210700

Content of /usr/local/apache/conf/modsec2.user.conf = empty (for future use)

Content of /usr/local/apache/conf/modsec2.whitelist.conf

<LocationMatch .*>
SecRuleRemoveById 210700

<DirectoryMatch ‘^/remote.php/webdav/’>
SecRuleEngine Off

Error continues…

Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “408”] [id “210700”] [msg “COMODO WAF: Method is not allowed by policy”] [data “PROPFIND”] [severity “CRITICAL”]

Any ideas?

FYI i had to comment the rule so webdav from owncloud works.

Your configuration seems OK.
For further investigation we need access to Apache logs.
Please fill ticket to https://support.comodo.com/

Ticket ID #SDE-456-95349

Let me know if you need anything else.

This happens also on MOODLE script sites, please see my FALSE POSITIVE 1.11 thread.