Multiple false positives and rules description

Free Modsecurity rules - Comodo Web Application Fi
1

Hi,

We are testing this new product on two of our servers before deploying on the rest, and we are seeing some false positives:

11014 - Blocks prestashop translations - Disabled
20020 - errors galore acrross all servers - Disabled
11085 - WHMCS tickets submit - Disabled
11097 - WHMCS tickets submit - Disabled
^/administrator/ - Joomla site on submitting article - Submitting post activates 3 rules! - Disabled dir

and a couple of others still under investigation.

So, my questions are:

  • Is there a list of rules with a description? If not, when could this be available, since it is of the utmost importance to know what you are desabling, and if it must be disabled server wide, only for the user account or only for afected dir!?

  • What is rule ID 20020 about and why it is being triggered so often?

Please contact me in private to my email if you need any logs.

Cheers and keep the good work!

2

Another one:

11184 and 11194 - WHMCS submit ticket with attachement - Disabled
(POST /suporte/admin/supporttickets.php?action=viewticket&id=71412 HTTP/1.1)

3

One more for Joomla, on saving config or article:

Rules affected: 11529, 11534
Solution: disable modsec for file: administrator/index.php

4

I try to add the 20020 rule to the exclusion list, and as per manual there should be some form of simple editor to add the rule. But on my version of WHM WAF there is no simple editor. The only way I have of adding it is to type into the exclusion area: SecRuleRemoveById 20020…save Then I’m requested to restart apache. I do this and the first time apache refused to restart, tried again and it started up okay.

I’m also seeing a lot of “Use SecDataDir to define data directory first” showing in the logs.

Now can the comodo ruleset working along side the old delayed asl ruleset that’s on the server already and called up via the modsec2.user.conf:
Include /usr/local/apache/conf/modsec_rules/asl.conf

Also I notice that csw writes to the modsec2.conf, won’t this be overwritten on a reinstall or update to mod_sec via easy apache ?
Can the Include “/var/cpanel/cwaf/etc/cwaf.conf” be added to the modsec2.user.conf instead ?

5

Do you use only our CWAF rules or ASL in parallel? It can possible be linked with ASL rules, please look to this post:

http://forums.cpanel.net/f185/modsecurity-use-secdatadir-define-data-directory-first-153237.html

Technically it’s possible. For this you need include asl conf in the /var/cpanel/cwaf/etc/cwaf.conf.

But it’s not a good idea, because of crossing rules and high load of the system.

Thank you for calling attention to this, we consider the case of updating the configuration.

6
Do you use only our CWAF rules or ASL in parallel? It can possible be linked with ASL rules, please look to this post: http://forums.cpanel.net/f185/modsecurity-use-secdatadir-define-data-directory-first-153237.html

I did have & have already implemented what they suggested in the thread, this morning I removed all reference to the delayed ASL ruleset and I’m using only CWAF

Using only CWAF I notice that on the upgrade this morning to 0.33 the Exclusions that I had entered had gone i.e 20020, 11184 & 11194. Does this mean everytime there’s an update I have to re-enter the excluded rules ?

Seeing lots of the following in the logs:
Rule 6d54308 [id “20042”][file “/var/cpanel/cwaf/rules/cwaf_05.conf”][line “86”] - Execution error - PCRE limits exceeded (-8): (null).
Rule 738b230 [id “20020”][file “/var/cpanel/cwaf/rules/cwaf_05.conf”][line “55”] - Execution error - PCRE limits exceeded (-8): (null).