Comodo WAF for IIS

Free Modsecurity rules - Comodo Web Application Fi
1

Initial version of Comodo WAF for Internet Information Services (IIS) has been released.

System Requirements:

  • IIS v.7.5.
  • Mod_security v. 2.7.5 and above

Install ModSecurity

To install Mod_security for IIS installers (for 32bit and 64bit respectively) should be loaded from http://www.modsecurity.org/download.html and run. After installation Mod_security should be visible in modules list in IIS Manager.

Default installation path for Mod_security rules and configuration files is: “C:\Program Files\ModSecurity IIS”.

Install CWAF

[ol]- Login to Comodo WAF interface: https://waf.comodo.com

  • Choose source “IIS” and download latest rules (Latest release: 1.54).
  • Click to Download Full RuleSet

After downloading of the rule-set you get the archive “comodo-iis-rules-154.zip”.

  • Back-up current “C:\Program Files\ModSecurity IIS” folder.
  • Extract archive to “C:\Program Files\”.
  • Restart IIS. [/ol]

Check CWAF Protection

To check CWAF protection work you may send the next request to your server: [code=“request to your server:”]http://your.server/?a=b AND 1=1




https://forums.comodo.com/index.php?action=dlattach;topic=113751.0;attach=111243


[b]Update of the Protection Rules[/b]


[ol]- Open system Terminal (cmd).
- Run system command:[/ol]

cscript.exe “C:\Program Files\ModSecurity IIS\cwaf_update.vbs”





You may add this command as a regular system task to Windows scheduler.

[b]Additional Details[/b]


- "rules.dat" is file, containing rules version;
- "modsecurity_iis.conf" – main ModSecurity configuration file;
- "cwaf_modsecurity.conf" - CWAF configuration file;
- "cwaf_excludes.conf" - file with excluded rules id – some rules are excluded by default because of false-positives. To turn them on it needs to remove them from this file and restart IIS;
- "categories.conf" - file with rules categories;
- "cwaf_update.vbs" - script is designed for rules update.


[attachment deleted by admin]
2

excellent work guys!

Thanks to our WAF team, tens of thousands of hosting companies and many more servers are secure from attacks, for FREE!

3

Awesome going to try this on our servers now.

4

Hello.
We collect information about current supported platforms. So, please, inform us about IIS versions which work with our plugin and ruleset.
Thanks a lot.

5

CWAF was working great with Windows server 2012R2 and IIS 8.5.9600.16384 until late last year. Now if I try to update ruleset past v 1.87 from 2016 I get error that Modsecurity is unable to process rulesets. Is any work being done to make the product compatible with IIS 8.5?

6

We couldn’t test our rules with Win2012 and IIS 8.x yet. We’ll try to make it as soon as possible.

7

Just added it to a new server and its giving me warnings in event viewer so it seems it is working well.

Only issue I see is that the hostname it mentions is the server name instead of the website being attacked:

[client 49.207.2.196:57996] ModSecurity: Warning. Operator EQ matched 0 at IP. [file “C:/Program Files (x86)/Plesk/ModSecurity/rules/custom/32_Apps_OtherApps.conf”] [line “1242”] [id “240335”] [rev “4”] [msg “COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 49.207.2.196 (+1 hits since last alert)”] [severity “CRITICAL”] [tag “CWAF”] [tag “OtherApps”] [hostname “WIN-7V04NSFOETC”] [uri “/xmlrpc.php”] [unique_id “16645304224908840450”]

Very strange.

8

Updated the rules on my Windows 2012 R2 servers today and they worked! Thanks for correcting the issue.

9

We have this now on our Plesk servers aswell and it is working great. Just a few errors after it is imported into Plesk. Note we tried Atomic Secured rules which work 100% but want to move to Comodo WAF for IIS but just a few issues exist after import:

[client 185.186.141.26] ModSecurity: XML parser error: XML: Failed parsing document. [hostname “PLESK01-CPT”] [uri “/xmlrpc.php”] [unique_id “9223372039002259516”]

and

ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “PLESK01”] [uri “/”] [unique_id “1224979113677160489”]

We had modsecurity version 2.8.0 on and now upgraded to 2.9.1 with same errors.

10

This issue will be fixed in the next release:

[client 185.186.141.26] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "PLESK01-CPT"] [uri "/xmlrpc.php"] [unique_id "9223372039002259516"]

The issue

Use SecDataDir to define data directory first.

can be fixed with string:

 SecDataDir c:\inetpub\temp

in modsecurity.conf