Addon domain excludes & SSL & username excludes & CSF

Free Modsecurity rules - Comodo Web Application Fi
1

“Catalog” manager, or the exclusion manager to whitelist rule ID’s per domain, does not appear to be working for addon domains added via cPanel. They are working correctly for root domains such as “example.com”. If I add an addon domain, cPanel (and CWAF for that matter), see’s and configures it as “addondomain.example.com”.

When CWAF adds the exclusion file in the [/var/cpanel/cwaf/etc/httpd/domains] directory, it adds it for “addondomain.example.com:80.conf” with reference to that “Host” within that file. If a user browses the addon domain via the actual “addondomain.com”, the rule exclusion does not take effect and basically the same modsec rule ID’s are being hit again, because it’s excluding for “addondomain.example.com”, instead of “addondomain.com”.

I also notice that these exclusion rules are only on port 80, and not also 443 for SSL.

I have a few questions:

[ol]- We may need to adjust the Catalog manager to see addon domains as an actual domain, rather than subdomain, so that the excludes can be created accordingly

  • Does CWAF have any plans to add port 443 as an option to exclude rules within the Catalog manager? Maybe not by default, but at least an option to if needed.
  • CWAF should also have the ability to disable rule ID’s per username too. This way if a user adds a new addon domain, these ones will also have the excludes enabled for them so that the customer doesn’t have to submit another ticket to request an exclusion. This is easily done using the following files:
/usr/local/apache/conf/userdata/std/2//modsec.conf (for port 80) /usr/local/apache/conf/userdata/ssl/2//modsec.conf (for port 443)
Adding the appropriate lines in there and graceful restart of Apache:
SecRuleRemoveById RULEIDNUMBER
  • I can use CSF’s ModSec tool to exclude rules for all the above listed problems (and that’s the solution I’m using now for these issues), but thing is, how does CWAF handle rule ID’s that are changed or removed, do you re-use same rule ID’s for newly created ones, or are they sequential and even if a rule ID is removed from your global rulesets, no other rule ID will occupy that same number? This is so that if I whitelist using CSF’s tool, and CWAF updates their rulesets at a later date, what’s to say I’m not now whitelisting a completely different rule than what the customer was affected by?[/ol]

Thank you!

2

The rest is kind of irrelevant as I can use CSF’s ModSec tool to disable the ID’s…what I want to know was my last question on my previous post:

I can use CSF’s ModSec tool to exclude rules for all the above listed problems (and that’s the solution I’m using now for these issues), but thing is, how does CWAF handle rule ID’s that are changed or removed, do you re-use same rule ID’s for newly created ones, or are they sequential and even if a rule ID is removed from your global rulesets, no other rule ID will occupy that same number? This is so that if I whitelist using CSF’s tool, and CWAF updates their rulesets at a later date, what’s to say I’m not now whitelisting a completely different rule than what the customer was affected by?

3

Thank you for your response.
We plan to fix exclusions for domains/add SSL port in next version of CWAF plugin.
Disabling rule ID’s per username seems handy.
We don’t re-use rules ID for newly rules yet, but this possibility is not excluded for global updates in future.