Author Topic: False-Positive report thread  (Read 78214 times)

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #150 on: April 07, 2017, 12:42:06 PM »
To whom it may concern:
If you do not see rule in plugin interface, try to delete rules cache (files with extension *.cache) from directory:
/var/cpanel/cwaf/tmp/CACHE - for cPanel
/usr/local/cwaf/tmp/CACHE - for other panels
« Last Edit: April 07, 2017, 03:05:11 PM by akabakov »

Offline NightOwl

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #151 on: April 07, 2017, 03:45:20 PM »
If you do not see rule in plugin interface, try to delete rules cache (files with extension *.cache) from directory:
/var/cpanel/cwaf/tmp/CACHE - for cPanel
/usr/local/cwaf/tmp/CACHE - for other panels

Thanks akabakov. Oddly I have no /cwaf/ folder anywhere, even according to 'locate'. cPanel 11.62.0.20 , CloudLinux 6.8, Apache 2.4.25. Any chance you might have a hint at alternatively named folder?

Offline NightOwl

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #152 on: April 07, 2017, 04:24:53 PM »
After this morning's update:

217250 is preventing WordPress logins & editing, other script file uploads.
217220 is non-stop filling up error logs "Request Missing a Host Header"
217270 is "Request Containing Content, but Missing Content-Type header"

Tried disabling them all in CMC but it doesn't help. Even after manual apache restart.

[:error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:pwd. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "122"] [id "217250"] [rev "2"] [msg "COMODO WAF: Multiple URL Encoding Detected||example.com|F|4"] [data "ARGS:pwd=W04KsIGrA*6olA%u6Ku"] [severity "WARNING"] [hostname "example.com"] [uri "/wp-login.php"]

[:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod
sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "113"] [id "217220"] [rev "1"] [msg "COMODO WAF: Request Missing a Host Header|||F|4"] [data "REQUEST_HEADERS
=0"] [severity "WARNING"] [hostname "server.example.net"] [uri "/whm-server-status"]

[:error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "139"] [id "217270"] [rev "2"] [msg "COMODO WAF: Request Containing Content, but Missing Content-Type header||www.example.com|F|2"] [data "REQUEST_HEADERS=0"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/xmlrpc.php"]

Offline intellitech

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #153 on: April 08, 2017, 09:09:13 AM »
After this morning's update:

217250 is preventing WordPress logins & editing, other script file uploads.
217220 is non-stop filling up error logs "Request Missing a Host Header"
217270 is "Request Containing Content, but Missing Content-Type header"

Tried disabling them all in CMC but it doesn't help. Even after manual apache restart.

[:error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:pwd. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "122"] [id "217250"] [rev "2"] [msg "COMODO WAF: Multiple URL Encoding Detected||example.com|F|4"] [data "ARGS:pwd=W04KsIGrA*6olA%u6Ku"] [severity "WARNING"] [hostname "example.com"] [uri "/wp-login.php"]

[:error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/mod
sec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "113"] [id "217220"] [rev "1"] [msg "COMODO WAF: Request Missing a Host Header|||F|4"] [data "REQUEST_HEADERS
=0"] [severity "WARNING"] [hostname "server.example.net"] [uri "/whm-server-status"]

[:error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "139"] [id "217270"] [rev "2"] [msg "COMODO WAF: Request Containing Content, but Missing Content-Type header||www.example.com|F|2"] [data "REQUEST_HEADERS=0"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/xmlrpc.php"]

Same issue on my server too .... :( Have had to disable mod_security on entire domains in order to perform changes on the websites

Offline DiegoAD

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #154 on: April 08, 2017, 11:18:08 AM »
Same here. I need disable rules 217270 and 217220 for now from cpanel vendors.
« Last Edit: April 08, 2017, 11:30:01 AM by DiegoAD »

Offline intellitech

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #155 on: April 08, 2017, 12:04:23 PM »
If you restore the CWAF rules back to version 1.117 - the problem for the time being will be sorted until Comodo fixes the problem.

Offline DiegoAD

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #156 on: April 08, 2017, 12:22:07 PM »
If you restore the CWAF rules back to version 1.117 - the problem for the time being will be sorted until Comodo fixes the problem.

Great!
And could you tell me how I avoid having the rules updated again in the next cron update of cpanel?

Thanks

Offline intellitech

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #157 on: April 08, 2017, 02:03:03 PM »
Great!
And could you tell me how I avoid having the rules updated again in the next cron update of cpanel?

Thanks

For the moment, I'd suggest just change the update checking in the automated settings in the CWAF (WHM Plugin), to "Never" and it'll prevent automated updates ... hopefully it will get fixed soon.
« Last Edit: April 08, 2017, 02:19:07 PM by intellitech »

Offline DiegoAD

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #158 on: April 08, 2017, 02:52:09 PM »
For the moment, I'd suggest just change the update checking in the automated settings in the CWAF (WHM Plugin), to "Never" and it'll prevent automated updates ... hopefully it will get fixed soon.

 :-TU Thanks
My last query: how do I get back with the rules version?
I have installed the rules in cpanel as a vendor.
Thank you very much for your help.

Offline intellitech

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #159 on: April 08, 2017, 02:58:46 PM »
:-TU Thanks
My last query: how do I get back with the rules version?
I have installed the rules in cpanel as a vendor.
Thank you very much for your help.

If you've done it as vendor, then I believe it will have to be manually uploaded to the site after you download the version from the Comodo site - choosing the previous version.

Hope that helps.

Offline ezynic

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #160 on: April 08, 2017, 04:04:59 PM »
I did disable 217270 from the cPanel interface with no problem, and it works for me. Will try the other two as well.

Offline jancas

  • Newbie
  • *
  • Posts: 11
Re: False-Positive report thread
« Reply #161 on: April 08, 2017, 06:33:23 PM »
Hi,

Using plesk onyx with comodo rules.

Rule ID 217270 causes woocommerce cart top widget not to load.

Thanks.

Offline joaam

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #162 on: April 10, 2017, 01:24:29 AM »
Hi,

had comodo update/correct the rule issue ?

Offline BeZazz

  • Comodo Member
  • **
  • Posts: 28
Re: False-Positive report thread
« Reply #163 on: April 10, 2017, 01:42:48 AM »
If they have. It hasn't been released yet.

Offline Hedley

  • Newbie
  • *
  • Posts: 2
Re: False-Positive report thread
« Reply #164 on: April 10, 2017, 07:38:32 AM »
Just adding my voice to the thread. I've also had issues with

217220
217250
217270

and had to disable them.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek