Author Topic: False-Positive report thread  (Read 80073 times)


Offline azizarnold

  • Newbie
  • *
  • Posts: 5
    • Hostking
Re: False-Positive report thread
« Reply #166 on: April 11, 2017, 07:38:43 AM »
Does anyone know if the new update fixes this issue exprienced this past few days? 217270 etc
Hostking| Since 2013 | South Africa  | Secure Web hosting
Domains • Shared • Reseller • VPS • Backups • cPanel

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #167 on: April 11, 2017, 08:38:18 AM »
These rules are removed from ruleset.

Offline joaam

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #168 on: April 11, 2017, 09:00:13 AM »
These rules are removed from ruleset.

Hi,

may i know which rules do you remove ?

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #169 on: April 11, 2017, 09:08:49 AM »
New ruleset was released yesterday. These rules are absent in it.

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375

Offline joaam

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #171 on: April 11, 2017, 09:19:15 AM »

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 370
Re: False-Positive report thread
« Reply #172 on: April 11, 2017, 09:57:21 AM »
Hi,

do you mean ?
Quote
Lack to exclude rule from the plugin.

Yes, it is the same

Offline joaam

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #173 on: April 13, 2017, 09:54:35 PM »
In this case our rules are used as ModSecurity Vendor. So, to disable this rule, you need to disable file 12_HTTP_Protocol.conf

do you had enable 12_HTTP_Protocol.conf back and works well ?

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #174 on: April 14, 2017, 11:27:05 AM »
We removed rules 217220, 217250 and 217270 from ruleset.
Everything should be OK.

Offline H0sseiN

  • Newbie
  • *
  • Posts: 8
Re: False-Positive report thread
« Reply #175 on: April 21, 2017, 12:43:04 PM »
Error 403 in searching any word in any wordpress site
« Last Edit: April 21, 2017, 12:45:10 PM by H0sseiN »

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #176 on: April 21, 2017, 12:51:36 PM »
What rule gives such result?

Offline confortable

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #177 on: May 05, 2017, 07:42:32 AM »
I had to disable this rule. Is affecting several users in several servers.

Does anyone know what is doing this rule?

1. False-Positive RuleId
218520

2. Web application + version
Wordpress 4.7.4
Wordpress 4.7.1

3. Request headers or at least debug log

--33acbf0f-A--
 [05/May/2017:08:14:19 +0200] WQwYOvt65TuuM5rjo8gaGwAAAAk XXXXXXXXXXXXXX 41926 37.59.226.88 82
 --33acbf0f-B--
 GET /wp-admin/ HTTP/1.1
 Host: XXXXXXXXXXXXXXXXXXXXXXXXXXX
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Encoding: gzip, deflate, sdch
 Accept-Language: es-ES,es;q=0.8,en;q=0.6
 Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 X-Forwarded-For: XXXXXXXXXXXXXXXXXX
 X-Cachewall-Remote-IP: XXXXXXXXXXXXXXXXX
 X-Cachewall-Object-Type: dynamic
 X-Cachewall-Server: XXXXXXXXXXXXXXXXXX
 X-Cachewall-Proto: http
 X-Cachewall-Identity: XXXXXXXXXXXXXXXXXXXXXX
 X-Cachewall-Match: pass=DEF22
 X-Varnish: XXXXXXXXXXXXXXXXXXXXXX

 --33acbf0f-F--
 HTTP/1.1 302 Found
 Expires: Wed, 11 Jan 1984 05:00:00 GMT
 Cache-Control: no-cache, must-revalidate, max-age=0
 Link: <http://XXXXXXXXXXXXXXX/wp-json/>; rel="https://api.w.org/"
 Location: http://XXXXXXXXXXXXXXXXXX.es/wp-admin/
 Content-Length: 0
 Connection: close
 Content-Type: text/html; charset=UTF-8

 --33acbf0f-H--
 Message: Access denied with code 403 (phase 2). Match of "endsWith /sysext/install/start/install.php" against "REQUEST_FILENAME" required.
  [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/24_SQL_SQLi.conf"] [line "77"] [id "218520"] [rev "2"] [msg "COMODO WAF:
  SQL Injection Attack Detected via libinjection||XXXXXXXXXXXXXX|F|2"] [data "Matched Data: n&1 found within
  REQUEST_FILENAME: /wp-admin/"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"]
 Action: Intercepted (phase 2)
 Apache-Handler: application/x-httpd-lsphp
 Stopwatch: 1493964858306883 1274686 (- - -)
 Stopwatch2: 1493964858306883 1274686; combined=2219, p1=443, p2=1531, p3=0, p4=0, p5=166, sr=65, sw=79, l=0, gc=0
 Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
 Server: Apache
 WebApp-Info: "default" "3a00234b7f502ee55c0f938dc3b8205a" "-"
 Engine-Mode: "ENABLED"

 --33acbf0f-Z--

Offline NightOwl

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #178 on: May 06, 2017, 03:39:53 PM »
New rules in past 24 hours generating false positives on lots of WordPress (and similar) scripts - 218520 and 218540

Offline H0sseiN

  • Newbie
  • *
  • Posts: 8
Re: False-Positive report thread
« Reply #179 on: May 07, 2017, 04:13:07 AM »
Quote
New rules in past 24 hours generating false positives on lots of WordPress (and similar) scripts - 218520 and 218540

same problem with lots of scripts like as livezilla chat, telegram robots, vbulletin , ...

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek