Comodo WAF for IIS

Initial version of Comodo WAF for [url=]Internet Information Services /url has been released.

System Requirements:

  • IIS v.7.5.
  • Mod_security v. 2.7.5 and above

Install ModSecurity

To install Mod_security for IIS installers (for 32bit and 64bit respectively) should be loaded from GitHub - SpiderLabs/ModSecurity: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence. and run. After installation Mod_security should be visible in modules list in IIS Manager.

Default installation path for Mod_security rules and configuration files is: “C:\Program Files\ModSecurity IIS”.

Install CWAF

[ol]- Login to Comodo WAF interface:

  • Choose source “IIS” and download latest rules (Latest release: 1.54).
  • Click to Download Full RuleSet

After downloading of the rule-set you get the archive “”.

  • Back-up current “C:\Program Files\ModSecurity IIS” folder.
  • Extract archive to “C:\Program Files\”.
  • Restart IIS. [/ol]

Check CWAF Protection

To check CWAF protection work you may send the next request to your server: [code=“request to your server:”]http://your.server/?a=b AND 1=1;topic=113751.0;attach=111243

[b]Update of the Protection Rules[/b]

[ol]- Open system Terminal (cmd).
- Run system command:[/ol]

cscript.exe “C:\Program Files\ModSecurity IIS\cwaf_update.vbs”

You may add this command as a regular system task to Windows scheduler.

[b]Additional Details[/b]

- "rules.dat" is file, containing rules version;
- "modsecurity_iis.conf" – main ModSecurity configuration file;
- "cwaf_modsecurity.conf" - CWAF configuration file;
- "cwaf_excludes.conf" - file with excluded rules id – some rules are excluded by default because of false-positives. To turn them on it needs to remove them from this file and restart IIS;
- "categories.conf" - file with rules categories;
- "cwaf_update.vbs" - script is designed for rules update.

[attachment deleted by admin]

excellent work guys!

Thanks to our WAF team, tens of thousands of hosting companies and many more servers are secure from attacks, for FREE!

Awesome going to try this on our servers now.

We collect information about current supported platforms. So, please, inform us about IIS versions which work with our plugin and ruleset.
Thanks a lot.

CWAF was working great with Windows server 2012R2 and IIS 8.5.9600.16384 until late last year. Now if I try to update ruleset past v 1.87 from 2016 I get error that Modsecurity is unable to process rulesets. Is any work being done to make the product compatible with IIS 8.5?

We couldn’t test our rules with Win2012 and IIS 8.x yet. We’ll try to make it as soon as possible.

Just added it to a new server and its giving me warnings in event viewer so it seems it is working well.

Only issue I see is that the hostname it mentions is the server name instead of the website being attacked:

[client] ModSecurity: Warning. Operator EQ matched 0 at IP. [file “C:/Program Files (x86)/Plesk/ModSecurity/rules/custom/32_Apps_OtherApps.conf”] [line “1242”] [id “240335”] [rev “4”] [msg “COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source (+1 hits since last alert)”] [severity “CRITICAL”] [tag “CWAF”] [tag “OtherApps”] [hostname “WIN-7V04NSFOETC”] [uri “/xmlrpc.php”] [unique_id “16645304224908840450”]

Very strange.

Updated the rules on my Windows 2012 R2 servers today and they worked! Thanks for correcting the issue.

We have this now on our Plesk servers aswell and it is working great. Just a few errors after it is imported into Plesk. Note we tried Atomic Secured rules which work 100% but want to move to Comodo WAF for IIS but just a few issues exist after import:

[client] ModSecurity: XML parser error: XML: Failed parsing document. [hostname “PLESK01-CPT”] [uri “/xmlrpc.php”] [unique_id “9223372039002259516”]


ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first. [hostname “PLESK01”] [uri “/”] [unique_id “1224979113677160489”]

We had modsecurity version 2.8.0 on and now upgraded to 2.9.1 with same errors.

This issue will be fixed in the next release:

[client] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "PLESK01-CPT"] [uri "/xmlrpc.php"] [unique_id "9223372039002259516"]

The issue

Use SecDataDir to define data directory first.

can be fixed with string:

 SecDataDir c:\inetpub\temp

in modsecurity.conf