False-Positive report thread

[PRO ISP]

1. False-Positive RuleId

214530

2. Web application + version NA

3. Request headers or at least debug log/modsec_audit.log
 ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\\\\x2260\\\\x22 width=\\\\x221 found within RESPONSE_BODY: <!DOCTYPE html>\\\\x0d\\\\x0a<html lang=\\\\x22en\\\\x22>\\\\x0d\\\\x0a<head>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<link rel=\\\\x22shortcut icon\\\\x22 href=\\\\x22assets/images/minibilde.png\\\\x22/>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<title>Ben og Chris | Official Website</title>\\\\x0d\\\\x0a<meta name=\\\\x22description\\\\x22 content=\\\\x22Ben og Chris | Musikkgruppe fra Oppland som prod [hostname "xxxx.com"] [uri "/index.php"] [unique_id "WgpH16wVE[at]xlQLsYbs99TwAAAJg"]
Host: xxxx.com

Message: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\s+(?!src=\\x22//www\\.googletagmanager\\.com)[^>]{1,}?\\b(?:height|width)\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\x22']{0,1}[^\\x22'123456789]{0,}?(?:[0123](?:\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\x2260\x22 width=\x221 found within RESPONSE_BODY: <!DOCTYPE html>\x0d\x0a<html lang=\x22en\x22>\x0d\x0a<head>\x0d\x0a\x0d\x0a<link rel=\x22shortcut icon\x22 href=\x22assets/images/minibilde.png\x22/>\x0d\x0a\x0d\x0a<title>Ben og Chris | Official Website</title>\x0d\x0a<meta name=\x22description\x22 content=\x22Ben og Chris | Musikkgruppe fra Oppland som prod

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\\\\\\\s+(?!src=\\\\\\\\x22//www\\\\\\\\.googletagmanager\\\\\\\\.com)[^>]{1,}?\\\\\\\\b(?:height|width)\\\\\\\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\\\\\\\x22']{0,1}[^\\\\\\\\x22'123456789]{0,}?(?:[0123](?:\\\\\\\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\\\\\\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe
turned off rule

[SergeiP]

1. False-Positive RuleId

214530

2. Web application + version NA

3. Request headers or at least debug log/modsec_audit.log
 ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\\\\x2260\\\\x22 width=\\\\x221 found within RESPONSE_BODY: <!DOCTYPE html>\\\\x0d\\\\x0a<html lang=\\\\x22en\\\\x22>\\\\x0d\\\\x0a<head>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<link rel=\\\\x22shortcut icon\\\\x22 href=\\\\x22assets/images/minibilde.png\\\\x22/>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<title>Ben og Chris | Official Website</title>\\\\x0d\\\\x0a<meta name=\\\\x22description\\\\x22 content=\\\\x22Ben og Chris | Musikkgruppe fra Oppland som prod [hostname "xxxx.com"] [uri "/index.php"] [unique_id "WgpH16wVE[at]xlQLsYbs99TwAAAJg"]
Host: xxxx.com

Message: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\s+(?!src=\\x22//www\\.googletagmanager\\.com)[^>]{1,}?\\b(?:height|width)\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\x22']{0,1}[^\\x22'123456789]{0,}?(?:[0123](?:\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\x2260\x22 width=\x221 found within RESPONSE_BODY: <!DOCTYPE html>\x0d\x0a<html lang=\x22en\x22>\x0d\x0a<head>\x0d\x0a\x0d\x0a<link rel=\x22shortcut icon\x22 href=\x22assets/images/minibilde.png\x22/>\x0d\x0a\x0d\x0a<title>Ben og Chris | Official Website</title>\x0d\x0a<meta name=\x22description\x22 content=\x22Ben og Chris | Musikkgruppe fra Oppland som prod

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\\\\\\\s+(?!src=\\\\\\\\x22//www\\\\\\\\.googletagmanager\\\\\\\\.com)[^>]{1,}?\\\\\\\\b(?:height|width)\\\\\\\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\\\\\\\x22']{0,1}[^\\\\\\\\x22'123456789]{0,}?(?:[0123](?:\\\\\\\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\\\\\\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe
turned off rule

If you have some complications with setup of CWAF, you can create account on https://support.comodo.com/ and create ticket related to WAF Support.

[Hedloff]

If you have some complications with setup of CWAF, you can create account on https://support.comodo.com/ and create ticket related to WAF Support.

Titans just reported a FS for your rules. Why did you respond with that answer?

[SergeiP]

Titans just reported a FS for your rules. Why did you respond with that answer?

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/falsepositive-report-thread-t104373.0.html;msg868018#msg868018

[lord alibaski]

Hi would like to thank all help with this 1st time had trouble with this. My hosting sent me here because I have had to disable the Mod Security inside whm reason it's giving me a false positive from my smf forum which is causing major issue when posting a topic.

WHM
Original Id - 217280


SecRule ARGS_NAMES|ARGS|XML:/*|!ARGS:/content/ "[at]pm get post head options connect put delete trace propfind propatch mkcol copy move lock unlock" \
   "id:217280,chain,msg:'COMODO WAF: HTTP Request Smuggling Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule MATCHED_VAR "[at]rx (?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \
   "setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"


Request:   POST /index.php?action=post2;start=0;msg=50310;eb6c3d7af24=89ab22e1f6b8290ed75a236b24396dee;board=4
Action Description:   Access denied with code 403 (phase 2).
Justification:   Pattern match "(?:\\n|\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+" at MATCHED_VAR.


Request:   GET /
Action Description:   Access denied with code 403 (phase 2).
Justification:   Match of "rx ^(?:\\w+\\/[\\w\\-\\.]+)(?:;(?:charset=[\\w\\-]{1,18}|boundary=[\\w\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required

Hope this is what I needed to post.

[SergeiP]

Hi lord alibaski, you don't need to post rule, the id will be enought.
Please check if  your mod_security.conf has such settings

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial

for obtaining modsec_audit.log which contains data:

Code: [Select]

[10/Nov/2017:15:39:27 +0000] WgXIL38AAAEAAEb7NVoAAAAA 10.0.2.2 50094 10.0.2.15 5080
--815f575b-B--
POST /mahara-17.04.1/htdocs/artefact/internal/index.php HTTP/1.1
Host: 10.8.4.2:5080
User-Agent: curl/7.56.1
Accept: */*
Cookie: mahara=bd7b6f93437c30c83fe9291c95d47a5dc64dd313a8efb0a915299b14e9ce2783
Content-Length: 493
Content-Type: application/x-www-form-urlencoded

--815f575b-C--
firstname=Admin%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=User%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&studentid=&preferredname=%3Cscript%3Ealert%283%29%3B%3C%2Fscript%3E&introduction=&email_selected=ansa%40localhost&email_valid%5B%5D=ansa%40localhost&officialwebsite=&personalwebsite=&blogaddress=&address=&town=&city=&country=&homenumber=&businessnumber=&mobilenumber=&faxnumber=&occupation=&industry=&submit=Processing+...&fs=aboutme&sesskey=I1xz5Fo4bs72pfu3&pieform_profileform=
--815f575b-F--
HTTP/1.1 403 Forbidden
Content-Length: 251
Connection: close
Content-Type: text/html; charset=iso-8859-1

--815f575b-E--

--815f575b-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\\s\\S]*?)" at ARGS:firstname. [file "/usr/local/cwaf/rules/08_XSS_XSS.conf"] [line "14"] [id "212000"] [rev "3"] [msg "COMODO WAF: XSS Filter - Category 1: Script Tag Vector||10.8.4.2:5080|F|2"] [data "Matched Data: <script> found within ARGS:firstname: Admin<script>alert(1);</script>"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1510328367568352 42562 (- - -)
Stopwatch2: 1510328367568352 42562; combined=37219, p1=12867, p2=23752, p3=0, p4=0, p5=492, sr=926, sw=108, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.4 (Unix)
Engine-Mode: "ENABLED"
You can hide sensitive data like

Code: [Select]

Host: 10.8.4.2:5080
your log

Code: [Select]

Request:   GET /
Action Description:   Access denied with code 403 (phase 2).
Justification:   Match of "rx ^(?:\\w+\\/[\\w\\-\\.]+)(?:;(?:charset=[\\w\\-]{1,18}|boundary=[\\w\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required
refers to ruleid 243930 but this rule leave message

Code: [Select]

COMODO WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)
Are you sure that you use CWAF ruleset?

POST request without request body to proteced host

Code: [Select]

/index.php?action=post2;start=0;msg=50310;eb6c3d7af24=89ab22e1f6b8290ed75a236b24396dee;board=4
doesn't cause 403.
If you use whm + Comodo WAF plugin then you able to disable single rule.

[Amar218]

1) Rule ID:  211820  (Triggers from administrative interface in phpbb, v. 3.2.2)

2) CWAF Plugin Version 2.22, Rules Version 1.666

3) 

Code: [Select]

Request: GET /adm/images/alert_close.png
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=31
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=acp_groups&icat=12&mode=manage
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=acp_prune&mode=users
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: POST /adm/index.php?i=acp_users&sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&icat=13&mode=overview
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /memberlist.php?mode=viewprofile&u=567
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.



[LBJ]

1. Rule ID: 21850 - Way too general in its regex

2. CWAF 1.166 / 2.22 in multiple applications

3.

Code: [Select]

[Tue Jun 05 10:48:23.222182 2018] [:error] [pid 1773425:tid 139707396007680] [client 118.209.129.254:50144] [client 118.209.129.254] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)\\\\b|s(?:ys(?:\\\\.database_name|aux)\\\\b|chema(?:\\\\W*\\\\(|_name\\\\b)|qlite(_temp)?_master\\\\b) ..." at ARGS:acf[field_575cce092e3f1]. [file "/var/cpanel/cwaf/rules/24_SQL_SQLi.conf"] [line "74"] [id "218530"] [rev "3"] [msg "COMODO WAF: SQL Injection Attack: Common DB Names Detected||xxxx.org.au|F|2"] [data "Matched Data: database ( found within ARGS:acf[field_575cce092e3f1]: To re-survey sites from the original BirdLife Australia Birds on Farms project (1995 \\xe2\\x80\\x93 1997), we will contact land owners using our database and networks. We will determine whether land owners are interested in surveying birds on their properties or if they are happy for someone else to carry out surveys. We will also put out a call through our networks (as well as through project partners and community groups s [hostname "xxxx.org.au"] [uri "/wp-admin/post.php"] [unique_id "WxXd1FJDG1kA5zgXCaotOgAAAAU"], referer: https://xxxx.org.au/wp-admin/post.php?post=7689&action=edit

[SergeiP]

1. Rule ID: 21850 - Way too general in its regex

2. CWAF 1.166 / 2.22 in multiple applications

3.

Code: [Select]

[Tue Jun 05 10:48:23.222182 2018] [:error] [pid 1773425:tid 139707396007680] [client 118.209.129.254:50144] [client 118.209.129.254] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)\\\\b|s(?:ys(?:\\\\.database_name|aux)\\\\b|chema(?:\\\\W*\\\\(|_name\\\\b)|qlite(_temp)?_master\\\\b) ..." at ARGS:acf[field_575cce092e3f1]. [file "/var/cpanel/cwaf/rules/24_SQL_SQLi.conf"] [line "74"] [id "218530"] [rev "3"] [msg "COMODO WAF: SQL Injection Attack: Common DB Names Detected||xxxx.org.au|F|2"] [data "Matched Data: database ( found within ARGS:acf[field_575cce092e3f1]: To re-survey sites from the original BirdLife Australia Birds on Farms project (1995 \\xe2\\x80\\x93 1997), we will contact land owners using our database and networks. We will determine whether land owners are interested in surveying birds on their properties or if they are happy for someone else to carry out surveys. We will also put out a call through our networks (as well as through project partners and community groups s [hostname "xxxx.org.au"] [uri "/wp-admin/post.php"] [unique_id "WxXd1FJDG1kA5zgXCaotOgAAAAU"], referer: https://xxxx.org.au/wp-admin/post.php?post=7689&action=edit

1) Rule ID:  211820  (Triggers from administrative interface in phpbb, v. 3.2.2)

2) CWAF Plugin Version 2.22, Rules Version 1.666

3) 

Code: [Select]

Request: GET /adm/images/alert_close.png
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=31
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=acp_groups&icat=12&mode=manage
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /adm/index.php?sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&i=acp_prune&mode=users
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: POST /adm/index.php?i=acp_users&sid=e24c3dc56f5bfe4c20d0bef96d86b1c3&icat=13&mode=overview
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.

Request: GET /memberlist.php?mode=viewprofile&u=567
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:(?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at REQUEST_COOKIES:phpbb3_2fd22_ct_prev_referer.



Hi. Please provide full logs for these FP. Setup your modsecurity modules as shown below:

Hi lord alibaski, you don't need to post rule, the id will be enought.
Please check if  your mod_security.conf has such settings

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial

for obtaining modsec_audit.log which contains data:

Code: [Select]

[10/Nov/2017:15:39:27 +0000] WgXIL38AAAEAAEb7NVoAAAAA 10.0.2.2 50094 10.0.2.15 5080
--815f575b-B--
POST /mahara-17.04.1/htdocs/artefact/internal/index.php HTTP/1.1
Host: 10.8.4.2:5080
User-Agent: curl/7.56.1
Accept: */*
Cookie: mahara=bd7b6f93437c30c83fe9291c95d47a5dc64dd313a8efb0a915299b14e9ce2783
Content-Length: 493
Content-Type: application/x-www-form-urlencoded

--815f575b-C--
firstname=Admin%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=User%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&studentid=&preferredname=%3Cscript%3Ealert%283%29%3B%3C%2Fscript%3E&introduction=&email_selected=ansa%40localhost&email_valid%5B%5D=ansa%40localhost&officialwebsite=&personalwebsite=&blogaddress=&address=&town=&city=&country=&homenumber=&businessnumber=&mobilenumber=&faxnumber=&occupation=&industry=&submit=Processing+...&fs=aboutme&sesskey=I1xz5Fo4bs72pfu3&pieform_profileform=
--815f575b-F--
HTTP/1.1 403 Forbidden
Content-Length: 251
Connection: close
Content-Type: text/html; charset=iso-8859-1

--815f575b-E--

--815f575b-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\\s\\S]*?)" at ARGS:firstname. [file "/usr/local/cwaf/rules/08_XSS_XSS.conf"] [line "14"] [id "212000"] [rev "3"] [msg "COMODO WAF: XSS Filter - Category 1: Script Tag Vector||10.8.4.2:5080|F|2"] [data "Matched Data: <script> found within ARGS:firstname: Admin<script>alert(1);</script>"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1510328367568352 42562 (- - -)
Stopwatch2: 1510328367568352 42562; combined=37219, p1=12867, p2=23752, p3=0, p4=0, p5=492, sr=926, sw=108, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.4 (Unix)
Engine-Mode: "ENABLED"
You can hide sensitive data like

Code: [Select]

Host: 10.8.4.2:5080
your log

Code: [Select]

Request:   GET /
Action Description:   Access denied with code 403 (phase 2).
Justification:   Match of "rx ^(?:\\w+\\/[\\w\\-\\.]+)(?:;(?:charset=[\\w\\-]{1,18}|boundary=[\\w\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required
refers to ruleid 243930 but this rule leave message

Code: [Select]

COMODO WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)
Are you sure that you use CWAF ruleset?

POST request without request body to proteced host

Code: [Select]

/index.php?action=post2;start=0;msg=50310;eb6c3d7af24=89ab22e1f6b8290ed75a236b24396dee;board=4
doesn't cause 403.
If you use whm + Comodo WAF plugin then you able to disable single rule.