Exclusion Manager not excluding Ver 0.34

designcentre · January 21, 2014, 1:09am

Hi Yah,

This is now the 2nd time that this has happened, have added exclusions to the appropriate place saved, restarted apache. Cleared any Joomla cache & browser cache, done the same operation and still get dropped, when I check the logs it’s dropping me for the rule I added to the exclusion list earlier.

The only work around I have is to disable CWAF do the change/update save then reactivate it again.

Is anyone else having issues with exclusion manager not excluding the rules ?

vadim · January 21, 2014, 12:22pm

Yes, current version has this issue. New client side scripts/plugin will be released in the near days.

designcentre · January 24, 2014, 1:31am

Installed the new install script this morning, the exclusion list entries didn’t get wiped BUT it doesn’t exclude the rules entered for example I have the following in the exclusion list:

http://thedesigncentre.co.nz/ScreenShot001.jpg

But when you check the logs you still see WAF processing the rule rather than excluding it

xxx.xxx.xxx.xxx 211528 [24/Jan/2014:14:12:01 +1300]
Match of “rx ://%{SERVER_NAME}/” against “REQUEST_URI:/url/” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “6610”] [id “211528”] [msg “COMODO WAF: Blocking remote inclusion in arguments”] [data “/administrator/index.php?option=com_installer&view=install”] [severity “CRITICAL”]

Now the 211528 rule is a real pain in the ■■■■…it drops Joomla when you try to save any changes to the global config. On a fresh install when you try to activate the “Install from Web” tab it bombs out, after disabling then reactivating CWAF to activate this in Joomla, I try installing JCK, plus several other modules/plugins every time you click the “Install” button CWAF bombs joomla making it a real pain to install anything.

Why isn’t the exclusion manager not working properly ?
Can you remove the rule 211528 for now so at least Joomla becomes workable again or sort the rule so it stops bombing Joomla out

EDIT

I have: Include /usr/local/apache/conf/modsec2.whitelist.conf in my modsec2.usr.conf, I’ve added the 211528 to that, saved and restarted http yet it still doesn’t exclude that rule, joomla still gets 403’s So basically if I try to exclude a list via CWAF Exclusion manager or the whitelist it doesn’t

vadim · January 24, 2014, 8:42am

designcentre post:3:

Installed the new install script this morning, the exclusion list entries didn’t get wiped BUT it doesn’t exclude the rules entered for example I have the following in the exclusion list:

http://thedesigncentre.co.nz/ScreenShot001.jpg

But when you check the logs you still see WAF processing the rule rather than excluding it

xxx.xxx.xxx.xxx 211528 [24/Jan/2014:14:12:01 +1300]
Match of “rx ://%{SERVER_NAME}/” against “REQUEST_URI:/url/” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “6610”] [id “211528”] [msg “COMODO WAF: Blocking remote inclusion in arguments”] [data “/administrator/index.php?option=com_installer&view=install”] [severity “CRITICAL”]

Now the 211528 rule is a real pain in the ■■■■…it drops Joomla when you try to save any changes to the global config. On a fresh install when you try to activate the “Install from Web” tab it bombs out, after disabling then reactivating CWAF to activate this in Joomla, I try installing JCK, plus several other modules/plugins every time you click the “Install” button CWAF bombs joomla making it a real pain to install anything.

Why isn’t the exclusion manager not working properly ?
Can you remove the rule 211528 for now so at least Joomla becomes workable again or sort the rule so it stops bombing Joomla out

EDIT

I have: Include /usr/local/apache/conf/modsec2.whitelist.conf in my modsec2.usr.conf, I’ve added the 211528 to that, saved and restarted http yet it still doesn’t exclude that rule, joomla still gets 403’s So basically if I try to exclude a list via CWAF Exclusion manager or the whitelist it doesn’t

Hello

If you have used our installation script, your current configuration is not included into your “modsec2.usr.conf”, so your “modsec2.whitelist.conf” don’t work

Install script makes backup and create a new mod_security configuration file /usr/local/apache/conf/modsec2.conf

So, first you may look to this file and see includes. If you didn’t change it manually, it should have only one include:

Include "/var/cpanel/cwaf/etc/cwaf.conf"

Then you may look to /var/cpanel/cwaf/etc/cwaf.conf. If you didn’t change it manually, it should have:

Include /var/cpanel/cwaf/rules/*.conf Include /var/cpanel/cwaf/etc/httpd/global/*.conf

where:
/var/cpanel/cwaf/rules/.conf - files of Comodo rules.
/var/cpanel/cwaf/etc/httpd/global/.conf - exclude lists.

In the plugin, on “Configuration” bookmark you may see path to the current exclude list, by default: etc/httpd/global/zzz_exclude_global.conf

TDmitry · January 24, 2014, 1:43pm

designcentre post:3:

Installed the new install script this morning, the exclusion list entries didn’t get wiped BUT it doesn’t exclude the rules entered for example I have the following in the exclusion list:

http://thedesigncentre.co.nz/ScreenShot001.jpg

But when you check the logs you still see WAF processing the rule rather than excluding it

xxx.xxx.xxx.xxx 211528 [24/Jan/2014:14:12:01 +1300]
Match of “rx ://%{SERVER_NAME}/” against “REQUEST_URI:/url/” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “6610”] [id “211528”] [msg “COMODO WAF: Blocking remote inclusion in arguments”] [data “/administrator/index.php?option=com_installer&view=install”] [severity “CRITICAL”]

Now the 211528 rule is a real pain in the ■■■■…it drops Joomla when you try to save any changes to the global config. On a fresh install when you try to activate the “Install from Web” tab it bombs out, after disabling then reactivating CWAF to activate this in Joomla, I try installing JCK, plus several other modules/plugins every time you click the “Install” button CWAF bombs joomla making it a real pain to install anything.

Why isn’t the exclusion manager not working properly ?
Can you remove the rule 211528 for now so at least Joomla becomes workable again or sort the rule so it stops bombing Joomla out

EDIT

I have: Include /usr/local/apache/conf/modsec2.whitelist.conf in my modsec2.usr.conf, I’ve added the 211528 to that, saved and restarted http yet it still doesn’t exclude that rule, joomla still gets 403’s So basically if I try to exclude a list via CWAF Exclusion manager or the whitelist it doesn’t

Next update should fix problems with rule 211528.

designcentre · January 25, 2014, 10:40am

Standard cpanel install with no change to any of your installation scripts or configs…the only thing that changed PRIOR to my initial install of CWAF was the call to the ASL Delay rules folder

modsec2.conf

LoadFile /opt/xml2/lib/libxml2.so

LoadFile /opt/lua/lib/liblua.so

LoadModule security2_module modules/mod_security2.so

SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecRequestBodyAccess on
SecDataDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Include “/var/cpanel/cwaf/etc/cwaf.conf”

Modsec2.user.conf

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 220621440
SecServerSignature Apache
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator “&”
SecCookieFormat 0
SecRequestBodyLimit 220621440
SecRequestBodyInMemoryLimit 220621440
LimitRequestBody 0
LimitRequestBody 134217728
SecDataDir /var/asl/data/msa
SecUploadDir /var/asl/data/suspicious
SecTmpDir /tmp
SecAuditLogDirMode 0777
SecAuditLogFileMode 0550
SecAuditLogStorageDir /var/asl/data/audit
SecAuditLogType Serial
SecResponseBodyLimitAction ProcessPartial
Include /usr/local/apache/conf/modsec2.whitelist.conf

Path to log directory: /var/log/CWAF
Rules path: /var/cpanel/cwaf
Exclude conf: etc/httpd/global/zzz_exclude_global.conf

The exclude file does not exist in that folder as it hasn’t been created in the installation, the zzz_exclude_global.conf can be found in: /var/cpanel/cwaf/etc/httpd/global

So which path is correct ? I have already mention where this file resides in other posts. If I change the path to /var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf , then save I get an error message stating it cannot find the conf file !!!

All I know is that whatever rules I add to the exclusion list they are not being read and those rules are still being processed by modsec and causing 403’s, making joomla a pain in the ■■■■ to use.

root [/etc/httpd]# locate zzz_exclude_global.conf
/backup/cpbackup/daily/dirs/_var_cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf
/backup/cpbackup/weekly/dirs/_var_cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf
/home/virtfs/var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf
/var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf
root [/etc/httpd]# _

vadim · January 27, 2014, 10:15am

Don’t need to change path to exclude list, because it’s specified as a relative, so “etc/httpd/global/zzz_exclude_global.conf” it’s correct path. Full path is really “/var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf”

Please restore default path to exclude list to: “etc/httpd/global/zzz_exclude_global.conf”. Then try to edit exclude list through plugin in such way:

<LocationMatch .*> SecRuleRemoveById 211528 SecRuleRemoveById 211184 SecRuleRemoveById 211194 </LocationMatch>

Check working of rules after saving excludes and restarting Apache.

Your file “Modsec2.user.conf” is not included in your configuration, so these options are not working. You may try add include in the “modsec2.conf”:

Include “/usr/local/apache/conf/modsec2.user.conf”

designcentre · January 28, 2014, 4:01am

Hi Yah,

I figured out the path was relative (silly me), have modified the CWAF Exclusion list manager with the additional <LocationMatch .*> & plus added Include “/usr/local/apache/conf/modsec2.user.conf” to the modsec2.conf and all seems to be working fine now…thank you very much