Installation Problems, Reporta Problem - Problem & waf@comodo.com Problem

With all enthusiasm I downloaded the installer yesterday and went for a cpanel install on one of our servers to test out the whm plugin and the ruleset…

Downloaded the installer from the web site, installed via shell and all went well, restarted apache then I rushed to WHM to play with the plugin, the plugin didn’t install, I also found out that the installer also didn’t create the cwaf/etc folder and the associated conf file. That didn’t deter me, I copied the ruleset across into my existing modsec_rules folder, then into my Configserver plugin, added the following line to modsec:

Include /usr/local/apache/conf/modsec_rules/cwaf*.conf

Start mod security and got the following errors:

Initial configuration generation failed with the following message:

Configuration problem detected on line 1087 of file /usr/local/apache/conf/modsec_rules/cwaf_01.conf:SecRule takes two or three arguments, rule target, operator and optional action list

— /usr/local/apache/conf/modsec_rules/cwaf_01.conf —
1081phase:2,
1082pass,
1083nolog,
1084t:none, t:lowercase,
1085skipAfter:‘END_SECMARKER_11020’"
1086
1087 ===> SecRule !ARGS:/^FCKeditor/|!ARGS:/^PLUGIN_FEED/|!ARGS:/^ViewState/|!ARGS:/^ZA_ARTICLE/|!ARGS:/^akID/|!ARGS:/^artsee_banner_/|!ARGS:/^attr_/|!ARGS:/^attribute/|!ARGS:/^bbcode_/|!ARGS:/^cf/|!ARGS:/^cf_field_/|!ARGS:/^channel/|!ARGS:/^complete_action/|!ARGS:/^config/|!ARGS:/^constant_contact/|!ARGS:/^css/|!ARGS:/^data/|!ARGS:/^element/|!ARGS:/^fetch/|!ARGS:/^field/|!ARGS:/^flb/|!ARGS:/^func_key/|!ARGS:/^groups/|!ARGS:/^hilit/|!ARGS:/^input_/|!ARGS:/^install_package/|!ARGS:/^item_/|!ARGS:/^k2extra/|!ARGS:/^listingfields/|!ARGS:/^ninja_forms/|!ARGS:/^option_value/|!ARGS:/^p_posts/|!ARGS:/^perch_/|!ARGS:/^product_long_/|!ARGS:/^replacer/|!ARGS:/^revchurch/|!ARGS:/^rsargs/|!ARGS:/^setting/|!ARGS:/^si_contact_/|!ARGS:/^stylevar/|!ARGS:/^svc_id/|!ARGS:/^tp_article/|!ARGS:/^utm/|!ARGS:/^wdf_joodb/|!ARGS:/^wimpy/|!ARGS:/^win/|!ARGS:/address/|!ARGS:/addy/|!ARGS:/adres/|!ARGS:/afbeelding/|!ARGS:/ajax/|!ARGS:/avatar/|!ARGS:/blog/|!ARGS:/body/|!ARGS:/buzz/|!ARGS:/callback/|!ARGS:/censor/|!ARGS:/click/|!ARGS:/comment/|!ARGS:/content/|!ARGS:/css_frame/|!ARGS:/desc/|!ARGS:/destination/|!ARGS:/domain/|!ARGS:/export/|!ARGS:/facebook/|!ARGS:/feed/|!ARGS:/flickr/|!ARGS:/flsrv/|!ARGS:/foto/|!ARGS:/frame/|!ARGS:/from_add/|!ARGS:/ftp/|!ARGS:/google/|!ARGS:/header/|!ARGS:/host/|!ARGS:/href/|!ARGS:/html/|!ARGS:/http/|!ARGS:/iTunes/|!ARGS:/icon/|!ARGS:/image/|!ARGS:/img/|!ARGS:/jform/|!ARGS:/link/|!ARGS:/link/|!ARGS:/linkedin/|!ARGS:/live$/|!ARGS:/liveUpdate/|!ARGS:/logo/|!ARGS:/media/|!ARGS:/message/|!ARGS:/metakey/|!ARGS:/metatags/|!ARGS:/movie/|!ARGS:/note/|!ARGS:/openid/|!ARGS:/page/|!ARGS:/password/|!ARGS:/photo/|!ARGS:/pic/|!ARGS:/pinterest/|!ARGS:/plaatje/|!ARGS:/reciprocal/|!ARGS:/redirect/|!ARGS:/refer/|!ARGS:/resolv/|!ARGS:/return/|!ARGS:/rss/|!ARGS:/screenshot/|!ARGS:/search_code/|!ARGS:/server/|!ARGS:/service/|!ARGS:/site/|!ARGS:/soap/|!ARGS:/speedtest/|!ARGS:/sponsor_banner/|!ARGS:/sponsors/|!ARGS:/sql/|!ARGS:/stream/|!ARGS:/target/|!ARGS:/template/|!ARGS:/text/|!ARGS:/theme/|!ARGS:/thumb/|!ARGS:/trackback/|!ARGS:/tripadvisor <===
1088/|!ARGS:/twitter/|!ARGS:/txt/|!ARGS:/uri/|!ARGS:/url/|!ARGS:/vertex/|!ARGS:/vid/|!ARGS:/web/|!ARGS:/whereto/|!ARGS:/wsdl/|!ARGS:/www/|!ARGS:/xthreads/|!ARGS:/youtube/|!ARGS:ATTACHMENTS_URL|!ARGS:Brief_Profile|!ARGS:CP_email|!ARGS:CUSTID|!ARGS:Comentario|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:FAQTitle|!ARGS:FULL_URL|!ARGS:GMAP_KEY|!ARGS:GMAP_KEY|!ARGS:HOMEPAGE_URL|!ARGS:Infos|!ARGS:KT_Update1|!ARGS:OVRAW|!ARGS:OpenID|!ARGS:PageCopy|!ARGS:Post|!ARGS:Query|!ARGS:RelayState|!ARGS:Store_CustomerEmail_Header|!ARGS:Store_OUI_GlobalFooter|!ARGS:UpdateNote|!ARGS:^/xcpr_/|!ARGS:RW|!ARGS:_docSelector|!ARGS:_ref|!ARGS:_search|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:action|!ARGS:ad_code|!ARGS:add_fd3|!ARGS:addendum|!ARGS:admin_footer|!ARGS:agendWebPage|!ARGS:aim|!ARGS:announce_post|!ARGS:answer|!ARGS:api|!ARGS:archive_chrono|!ARGS:area|!ARGS:areaContent2|!ARGS:arg2|!ARGS:arg6|!ARGS:armoury|!ARGS:art_source|!ARGS:art_summary|!ARGS:article|!ARGS:attribute29|!ARGS:automode|!ARGS:babynaam|!ARGS:back|!ARGS:back|!ARGS:back_to|!ARGS:background|!ARGS:backto|!ARGS:ban_reason|!ARGS:banner|!ARGS:banner_top|!ARGS:bannercode|!ARGS:banners_list|!ARGS:base1|!ARGS:before|!ARGS:big|!ARGS:binary|!ARGS:board_msg|!ARGS:button_dir|!ARGS:c_msg|!ARGS:came_from|!ARGS:camefrom|!ARGS:canonical|!ARGS:cat_sponsor|!ARGS:cc_list_id|!ARGS:cl_post|!ARGS:clip|!ARGS:cmstr|!ARGS:color_chart|!ARGS:configParams[api][configParamValue]|!ARGS:configuration_key|!ARGS:confirm|!ARGS:contact_info|!ARGS:continue|!ARGS:copyright|!ARGS:cptpl_dir|!ARGS:cts|!ARGS:cur|!ARGS:customer_footer|!ARGS:cyswllt|!ARGS:data|!ARGS:data[Email][comment]|!ARGS:data_codepress|!ARGS:dcsqry|!ARGS:dcsref|!ARGS:dcsref|!ARGS:def|!ARGS:default_banner|!ARGS:definition|!ARGS:dest|!ARGS:dest|!ARGS:details|!ARGS:direct|!ARGS:direct|!ARGS:disc|!ARGS:dns|!ARGS:ds_source|!ARGS:dynadata[_SIGNATURE]|!ARGS:dynafield[_SIGNATURE]|!ARGS:edit_full|!ARGS:email_forward|!ARGS:email_sig|!ARGS:embed_code|!ARGS:embeddump|!ARGS:enlace|!ARGS:enquiry|!ARGS:entry|!ARGS:env_ping_list|!ARGS:env_ping_list|!ARGS:
1089eself|!ARGS:excerpt|!ARGS:extra_info|!ARGS:f_license|!ARGS:fail|!ARGS:faqText|!ARGS:fb_ref|!ARGS:fck_brief|!ARGS:fetch|!ARGS:fflv|!ARGS:fighter_name|!ARGS:flv|!ARGS:flvSource|!ARGS:footer|!ARGS:footer_scripts|!ARGS:form_element3|!ARGS:form_pathscript|!ARGS:form_profile|!ARGS:forum|!ARGS:forward|!ARGS:friend_M|!ARGS:from|!ARGS:fromp|!ARGS:full_story|!ARGS:gmaps|!ARGS:gmu|!ARGS:go|!ARGS:goback|!ARGS:goto|!ARGS:gwefan|!ARGS:hd_request|!ARGS:hdwnook|!ARGS:hdwok|!ARGS:hdwok|!ARGS:heading|!ARGS:helpbox|!ARGS:home|!ARGS:home_top|!ARGS:how_did_you_hear_about_us|!ARGS:howhear|!ARGS:hp|!ARGS:hq|!ARGS:ico|!ARGS:ima|!ARGS:importremote|!ARGS:inc|!ARGS:input_3|!ARGS:input_50|!ARGS:input_name[0]|!ARGS:input_name[4]|!ARGS:intro|!ARGS:introduction|!ARGS:ip|!ARGS:jibber|!ARGS:jumpTo|!ARGS:junkWords|!ARGS:kotisivu|!ARGS:l1_bdy|!ARGS:lang_default_value|!ARGS:languageChange|!ARGS:last_msg|!ARGS:layout|!ARGS:lec_rm|!ARGS:listserv|!ARGS:live|!ARGS:loc|!ARGS:loc|!ARGS:location|!ARGS:locationhp|!ARGS:marqueur|!ARGS:mb|!ARGS:memo|!ARGS:mesg|!ARGS:metavalue|!ARGS:move_to|!ARGS:msg|!ARGS:music|!ARGS:myfilm1|!ARGS:n-state|!ARGS:name_ip|!ARGS:newText|!ARGS:new_channel|!ARGS:new_tng_path|!ARGS:newidentities[0][signature]|!ARGS:newsBody|!ARGS:newsettings[files_dir]|!ARGS:next|!ARGS:note|!ARGS:notes|!ARGS:oaparams|!ARGS:obj_itop|!ARGS:obr|!ARGS:old_file[]|!ARGS:oldmsg|!ARGS:op|!ARGS:option[78]|!ARGS:option[home]|!ARGS:options[alter][path]|!ARGS:origem|!ARGS:origin|!ARGS:os|!ARGS:out|!ARGS:outbound|!ARGS:outputfile|!ARGS:owa_protocol|!ARGS:p_zoho|!ARGS:pack|!ARGS:packageComments|!ARGS:params[altTag]|!ARGS:parent_name|!ARGS:path|!ARGS:pathToPiwik|!ARGS:path[alias]|!ARGS:pattern_select|!ARGS:pay_list_type|!ARGS:payment_extrainfo|!ARGS:payment_home|!ARGS:paypal_ipn|!ARGS:pfad|!ARGS:pingback_service|!ARGS:playlist|!ARGS:post-id|!ARGS:postvars|!ARGS:problem|!ARGS:prodDownload|!ARGS:prodLogo|!ARGS:profile|!ARGS:profile_id|!ARGS:pu|!ARGS:r|!ARGS:radio|!ARGS:redir|!ARGS:ref|!ARGS:refsrc|!ARGS:register_at|!ARGS:regx_root|!ARGS:rel_path|!ARGS:relocate|!A
1090RGS:remotefile|!ARGS:reply|!ARGS:repository|!ARGS:request|!ARGS:request_uri|!ARGS:resolution|!ARGS:resource|!ARGS:resource_box|!ARGS:response|!ARGS:result|!ARGS:ret|!ARGS:ret|!ARGS:rev_you_tube|!ARGS:reverbnation|!ARGS:revnews_ad_120|!ARGS:rf|!ARGS:rules|!ARGS:sUrl|!ARGS:saved_data|!ARGS:search|!ARGS:search_string|!ARGS:searchstring|!ARGS:service|!ARGS:set_static_uri_to|!ARGS:sfhome|!ARGS:shire|!ARGS:short_story|!ARGS:short_story|!ARGS:showStr|!ARGS:sig|!ARGS:signature|!ARGS:sima|!ARGS:slug|!ARGS:sm_b_style|!ARGS:snippet|!ARGS:soundname|!ARGS:source|!ARGS:source_code|!ARGS:source_location|!ARGS:sourcetitle|!ARGS:st_widget|!ARGS:steps|!ARGS:store|!ARGS:stories_cat|!ARGS:str_sitio|!ARGS:stretch|!ARGS:subdir[0]|!ARGS:subject|!ARGS:success|!ARGS:success|!ARGS:sugarroot|!ARGS:summary|!ARGS:summary|!ARGS:svc_id|!ARGS:svc_id|!ARGS:tax23_RefDocLoc|!ARGS:teaser_js|!ARGS:theVisibility|!ARGS:thm|!ARGS:ticketmaster|!ARGS:tickets|!ARGS:title|!ARGS:to|!ARGS:tos|!ARGS:tpl_cont|!ARGS:tresc|!ARGS:txt|!ARGS:typePageCode|!ARGS:u|!ARGS:ucapi|!ARGS:ui|!ARGS:uri|!ARGS:user[signature]|!ARGS:user_sig|!ARGS:user_xup|!ARGS:utmp|!ARGS:utmr|!ARGS:value_190|!ARGS:value_3|!ARGS:value_string_9|!ARGS:var_value[usps_labels_help_2]|!ARGS:view|!ARGS:vinculo|!ARGS:voice|!ARGS:vthumb|!ARGS:want2Read|!ARGS:war|!ARGS:weather|!ARGS:whereto|!ARGS:whydowork_code|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:wlp|!ARGS:wordpress_extra|!ARGS:wp_home|!ARGS:wysiwyg|!ARGS:x_Instructions|!ARGS:x_organizational|!ARGS:xml|!ARGS:xsponsor2|!ARGS:yahoo|!ARGS:zajawka|ARGS “^(?:data|gopher|ogg|php|zlib|(?:f|ht)tps{0,1})://(.{0,})$”
1091"chain,
1092id:11085,
1093msg:‘COMODO WAF: see rule description’,
— /usr/local/apache/conf/modsec_rules/cwaf_01.conf —

Rebuilding configuration without any local modifications.

Failed to generate a syntactically correct Apache configuration.

Comment the line out restart and existing rules continue okay. I have downloaded the newest version tonight uploaded the new files and same error on restart

So off to the comodo web site logged in to the WAF section, logged in and clicked on the Report a Problem more or less entered the above hit return and found that it only accepted xxxx amount of characters - aaaahhhhh

Tonight I download the latest version of the ruleset, hoping maybe something had changed, nope installed the modified files restarted and the same error message, so I know not to use the report a problem form so I email the following email address on my welcome email with license etc etc waf@comodo.com

Within 10 secs I get a bounce back stating:

Delivery to the following recipient failed permanently:

 waf@comodo.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain comodo.com by mail1.comodogroup.com. [91.199.212.133].

The error that the other server returned was:
550 Sorry, waf@comodo.com is not in my validrcptto list

I’ve now sent a copy to the general support email address…not sure how long they’ll take to reply or if they deal with waf issues, so here I am at the forum…

we just released a new ruleset v0.32 and will be releasing a new cpanel plugin early next week.

i asked our guys to take a look asap.

Still no joy with the new loader I’m afraid

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/free-modsecurity-rules-t100621.0.html;msg732563#msg732563