Cannot find rule to disable

Hello,

In WHM I cannot seem to find the rule that is causing issues for customers PmWiki installations.
The rule is:
212480: WAF: NoScript XSS InjectionChecker: HTML Injection

See attachted screenshot.
As you can see we only have Apps, Bruteforce and Global categories enabled because of all the false positives.

I tried disabling this rule in SSH but got this:
/var/cpanel/cwaf/scripts/cwaf-cli.pl -xa 212480
turning off rules:212480
domain: global
ERROR: empty update data

So was this ruled turned off or not?

Hello.
this error appears then rule id doesn’t exist in the ruleset.
For example:


# /var/cpanel/cwaf/scripts/cwaf-cli.pl -xa 999999
turning off rules:999999
domain: global
ERROR: empty update data

Please, check:


# grep -r  212480  *
08_XSS_XSS.conf:	"id:212480,msg:'COMODO WAF: NoScript XSS InjectionChecker: HTML Injection',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,rev:1,severity:2,tag:'CWAF',tag:'XSS'"
categories.conf:# RULEDATA:212480:XSS:1:COMODO WAF: NoScript XSS InjectionChecker: HTML Injection
scheme.yml:      212480: 0
scheme.yml:  212480:
scheme.yml:    parent: 212480

Ok? That’s exactly why I notified and asked you?
Why do customers get websites get errrors and it’s showing that the rule id is causing this?

It shows in WHM that the cause customers get 403 error is that RULE ID!

So, what or how can I fix your bug?

Please, show me 2 last commands result.


# cd /var/cpanel/cwaf/rules/
# grep -r  212480  *
# less rules.dat

Thanks.

[/var/cpanel/cwaf/rules]# grep -r 212480 *
08_XSS_XSS.conf: “id:212480,msg:‘COMODO WAF: NoScript XSS InjectionChecker: HTML Injection||%{tx.domain}|%{tx.mode}|2’,phase:2,capture,block,setvar:‘tx.xss_points=+%{tx.points_limit4}’,setvar:‘tx.points=+%{tx.points_limit4}’,logdata:‘Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}’,ctl:auditLogParts=+E,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,rev:1,severity:2,tag:‘CWAF’,tag:‘XSS’”
categories.conf:# RULEDATA:212480:XSS:1:COMODO WAF: NoScript XSS InjectionChecker: HTML Injection
scheme.yml: 212480: 0
scheme.yml: 212480:
scheme.yml: parent: 212480

1.123

Hi Hedlof

We have removed rule 212480 in latest release, so please update rules.
Also please update to last client version if not updated yet.
Imposiblity to find rule can be related to cache issue.
If you concened about this please remove cache with

# rm -f /var/cpanel/cwaf/tmp/CACHE/*.cache

Cache will be re-generated during plugin restart.

Regards, Oleg