Author Topic: Comodo WAF for IIS  (Read 3130 times)

Offline vadim

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 334
Comodo WAF for IIS
« on: November 24, 2015, 07:05:09 AM »
Initial version of Comodo WAF for Internet Information Services (IIS) has been released.

System Requirements:

  • IIS v.7.5.
  • Mod_security v. 2.7.5 and above

Install ModSecurity

To install Mod_security for IIS installers (for 32bit and 64bit respectively) should be loaded from http://www.modsecurity.org/download.html and run. After installation Mod_security should be visible in modules list in IIS Manager.

Default installation path for Mod_security rules and configuration files is: “C:\Program Files\ModSecurity IIS”.

Install CWAF

  • Login to Comodo WAF interface: https://waf.comodo.com
  • Choose source "IIS" and download latest rules (Latest release: 1.54).
  • Click to Download Full RuleSet



    After downloading of the rule-set you get the archive "comodo-iis-rules-154.zip".



  • Back-up current “C:\Program Files\ModSecurity IIS” folder.
  • Extract archive to “C:\Program Files\”.
  • Restart IIS.

Check CWAF Protection

To check CWAF protection work you may send the next request to your server:
Code: ("request to your server:") [Select]
http://your.server/?a=b AND 1=1


Update of the Protection Rules

  • Open system Terminal (cmd).
  • Run system command:
Code: [Select]
cscript.exe "C:\Program Files\ModSecurity IIS\cwaf_update.vbs"

    You may add this command as a regular system task to Windows scheduler.

    Additional Details

    • "rules.dat" is file, containing rules version;
    • "modsecurity_iis.conf" – main ModSecurity configuration file;
    • "cwaf_modsecurity.conf" - CWAF configuration file;
    • "cwaf_excludes.conf" - file with excluded rules id – some rules are excluded by default because of false-positives. To turn them on it needs to remove them from this file and restart IIS;
    • "categories.conf" - file with rules categories;
    • "cwaf_update.vbs" - script is designed for rules update.

    [attachment deleted by admin]
    « Last Edit: December 18, 2015, 02:55:01 AM by vadim »
    --
    Vadim Lvovskiy
    Development Manager
    COMODO Group Inc.

    Offline Melih

    • CEO - Comodo
    • Administrator
    • Comodo's Hero
    • *****
    • Posts: 14588
      • Video Blog
    Re: Comodo WAF for IIS
    « Reply #1 on: November 24, 2015, 08:45:00 AM »
    excellent work guys!

    Thanks to our WAF team, tens of thousands of hosting companies and many more servers are secure from attacks, for FREE!


    Offline sahostking

    • Newbie
    • *
    • Posts: 13
    Re: Comodo WAF for IIS
    « Reply #2 on: February 11, 2016, 07:08:01 AM »
    Awesome going to try this on our servers now.

    Offline akabakov

    • Comodo's Hero
    • *****
    • Posts: 364
    Re: Comodo WAF for IIS
    « Reply #3 on: January 20, 2017, 10:41:26 AM »
    Hello.
    We collect information about current supported platforms. So, please, inform us about IIS versions which work with our plugin and ruleset.
    Thanks a lot.

    Offline christbiker

    • Newbie
    • *
    • Posts: 2
    Re: Comodo WAF for IIS
    « Reply #4 on: March 22, 2017, 02:43:25 PM »
    CWAF was working great with Windows server 2012R2 and IIS 8.5.9600.16384 until late last year.  Now if I try to update ruleset past v 1.87 from 2016 I get error that Modsecurity is unable to process rulesets.  Is any work being done to make the product compatible with IIS 8.5?

    Offline akabakov

    • Comodo's Hero
    • *****
    • Posts: 364
    Re: Comodo WAF for IIS
    « Reply #5 on: March 24, 2017, 08:14:03 AM »
    We couldn't test our rules with Win2012 and  IIS 8.x yet. We'll try to make it as soon as possible.

    Offline sahostking

    • Newbie
    • *
    • Posts: 13
    Re: Comodo WAF for IIS
    « Reply #6 on: June 30, 2017, 08:50:31 AM »
    Just added it to a new server and its giving me warnings in event viewer so it seems it is working well.

    Only issue I see is that the hostname it mentions is the server name instead of the website being attacked:

    [client 49.207.2.196:57996] ModSecurity: Warning. Operator EQ matched 0 at IP. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/custom/32_Apps_OtherApps.conf"] [line "1242"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 49.207.2.196 (+1 hits since last alert)"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "WIN-7V04NSFOETC"] [uri "/xmlrpc.php"] [unique_id "16645304224908840450"]

    Very strange.

    Offline christbiker

    • Newbie
    • *
    • Posts: 2
    Re: Comodo WAF for IIS
    « Reply #7 on: July 05, 2017, 05:04:54 PM »
    Updated the rules on my Windows 2012 R2 servers today and they worked!  Thanks for correcting the issue.

    Offline sahostking

    • Newbie
    • *
    • Posts: 13
    Re: Comodo WAF for IIS
    « Reply #8 on: August 17, 2017, 04:23:04 AM »
    We have this now on our Plesk servers aswell and it is working great. Just a few errors after it is imported into Plesk. Note we tried Atomic Secured rules which work 100% but want to move to Comodo WAF for IIS but just a few issues exist after import:

    [client 185.186.141.26] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "PLESK01-CPT"] [uri "/xmlrpc.php"] [unique_id "9223372039002259516"]

    and

    ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "PLESK01"] [uri "/"] [unique_id "1224979113677160489"]



    We had modsecurity version 2.8.0 on and now upgraded to 2.9.1 with same errors.

    Offline akabakov

    • Comodo's Hero
    • *****
    • Posts: 364
    Re: Comodo WAF for IIS
    « Reply #9 on: August 18, 2017, 09:12:04 AM »
    This  issue will be fixed in the next release:
    Code: [Select]
    [client 185.186.141.26] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "PLESK01-CPT"] [uri "/xmlrpc.php"] [unique_id "9223372039002259516"]
    The issue
    Code: [Select]
    Use SecDataDir to define data directory first. can be fixed with string:

    Code: [Select]
    SecDataDir c:\inetpub\temp
     in modsecurity.conf

     

    Seo4Smf 2.0 © SmfMod.Com Smf Destek