Author Topic: Wrong rule set?  (Read 824 times)

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Wrong rule set?
« on: April 05, 2018, 07:15:30 PM »
I'm using CWAF as a modsec vendor in cPanel for quite a while now using the following:

https://waf.comodo.com/doc/meta_comodo_apache.yaml

Now in about the past ~24 hours I'm seeing some general weirdness.

Looking into the issue, I've noticed the following in the logs:

Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); CWAF_Nginx.

I'm using Apache, not NGINX in any way, so I would think there should be no reason to be seeing that.

Looking at the rule set file "00_Init_Initialization.conf" I also see:

SecComponentSignature "CWAF_Nginx"

Was there a mixup on your end and the update issued the Apache rule set using the rule set for NGINX instead of Apache?

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Wrong rule set?
« Reply #1 on: April 06, 2018, 09:03:34 AM »
I manually downloaded the rule set for Apache and the file "00_Init_Initialization.conf" has the following:

SecComponentSignature "CWAF_Apache"

So the ModSecurity vendor rule set being automatically downloaded in cPanel is obviously the wrong one.

Any help on this?

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Wrong rule set?
« Reply #2 on: April 06, 2018, 10:16:19 AM »
I was able to fix this by deleting the modsec vendor in cPanel and re-adding it.


Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 163
Re: Wrong rule set?
« Reply #3 on: April 06, 2018, 10:17:19 AM »
Hello snewtonge. We couldn't reproduce this event. Looks like you installed cwaf client on nginx and after that switched webserver to apache.
Please provide version of Apache,  cPanel and cwaf client.

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Wrong rule set?
« Reply #4 on: April 06, 2018, 12:16:20 PM »
Hello snewtonge. We couldn't reproduce this event. Looks like you installed cwaf client on nginx and after that switched webserver to apache.
Please provide version of Apache,  cPanel and cwaf client.

Nope. Never had NGINX and as I mentioned in my original post, I am using Comodo as a ModSecurity vendor in cPanel, not the CWAF client.

I have been using the same configuration for over a year without issue. It seems to have begun with update to Version 1.160

It's like someone at Comodo accidentally copied the new 1.160 NGINX rule set to the Apache set instead of the NGINX rule set and my servers all downloaded it before the mistake was noticed on your end and corrected.

So the only thing I could do was remove the ModSecurity vendor in cPanel and re-add it to update the rule set to the correct one.



Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 163
Re: Wrong rule set?
« Reply #5 on: April 10, 2018, 05:30:30 AM »
If issue not solved with client reinstallation then please create ticket on
https://support.comodo.com
in WAFs section with link on this topic for elevation of priority of this issue.

Offline Jerry78

  • Newbie
  • *
  • Posts: 4
Re: Wrong rule set?
« Reply #6 on: April 23, 2018, 09:36:56 AM »
On 6 servers running cpanel with apache (NO nginx) and updates through WHM (no CWAF client) we see the same problem.

-rw-r--r-- 1 root root 3149 Apr 23 00:34 /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf

In the above file we see:
SecComponentSignature "CWAF_Nginx"


Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 163
Re: Wrong rule set?
« Reply #7 on: April 30, 2018, 09:05:18 AM »
Hello Jerry78.
If it possible please share content of /etc/cwaf/main.conf file.

Offline heliostorm

  • Newbie
  • *
  • Posts: 2
Re: Wrong rule set?
« Reply #8 on: April 30, 2018, 10:00:40 AM »
Hi SergeiP, I think you misunderstood Jerry78? None of the people in this thread have CWAF installed- we've all installed the COMODO ModSecurity Apache Rule Set as a vendor in WHM (no CWAF client) as per this link: https://help.comodo.com/topic-212-1-670-8350-.html. We don't have a /etc/cwaf/ directory because the CWAF app isn't installed.

I can also confirm I'm seeing the exact same issue. I'm running Apache (NO nginx). The top of my /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf reads:

Code: [Select]
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2018 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecComponentSignature "CWAF_Nginx"

Note the SecComponentSignature "CWAF_Nginx"

It seems like someone uploaded the wrong files when they updated https://waf.comodo.com/doc/meta_comodo_apache.yaml ?

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 163
Re: Wrong rule set?
« Reply #9 on: April 30, 2018, 11:12:57 AM »
We updated file meta_comodo_apache.yaml. Please verify did that help. Thank you.

Offline heliostorm

  • Newbie
  • *
  • Posts: 2
Re: Wrong rule set?
« Reply #10 on: April 30, 2018, 11:34:23 AM »
Thanks! Just removed and re-added the rules and they seem to be the correct files now. Will let you know if there are any problems.

Offline Jerry78

  • Newbie
  • *
  • Posts: 4
Re: Wrong rule set?
« Reply #11 on: May 03, 2018, 05:03:29 AM »
After yesterdays update it broke again!  :-TD

-rw-r--r-- 1 root root 3149 May  2 17:06 /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf

The file show AGAIN: SecComponentSignature "CWAF_Nginx"




Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 163
Re: Wrong rule set?
« Reply #12 on: May 03, 2018, 07:42:39 AM »
meta_comodo_apache.yaml updated.  Sorry for inconvenience.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek