client blocked, but rule is disabled

Free Modsecurity rules - Comodo Web Application Fi

mikecol October 14, 2015, 4:49pm #1

I have a client that keeps getting blocked, this is whats happening:

csf.deny: 46.xxx.xxx.xxx # lfd: (mod_security) mod_security (id:211540) triggered by 46.xxx.xxx.xxx(GB/United Kingdom/customer-46-xxx-xxx-xxx.gigaclear.net): 5 in the last 3600 secs - Wed Oct 14 15:46:25 2015

and so I disabled the rule (211540) COMODO WAF: Blind SQL Injection Attack

however they still keep getting blocked by this same rule, even though its disabled on their domain.

whats going on?

I have litespeed 5.0.7 Enterprise
CWAF plugin version 2.13
Current rules version 1.45 (Latest version)

[attachment deleted by admin]

mikecol October 14, 2015, 5:27pm #2

an addition, users get this when in the wordpress admin area

brijendrasial October 14, 2015, 9:37pm #3

Please check again as I feel there may be multiple rule blocking it. Disable one rule will make other rule to trigger and that can block it. So its good to check log again.

mikecol October 15, 2015, 4:44am #4

hi

well i disabled that rule but they are still getting blocked by that same rule? it does not say any other rules when i search for their ip… it says that rule blocked them even though its disabled?

oleg.tsygany October 15, 2015, 9:53am #5

Hi

Did you disabled it for domain? Please try to disable globally this can be issue.

Regards, Oleg

mikecol October 15, 2015, 9:59am #6

Hi

yes i disabled for the domain… ill try disabling globally.

so should i always disable globally and not at domain level?

oleg.tsygany October 15, 2015, 10:03am #7

Disabling rule for domain depend on regular expression.
If requests to your server not match this expression request will not be blocked.

So if it will block for rule disabled globally we will know this is regex issue.

Regards, Oleg