CWAF - Rules 1.08

intellitech · May 7, 2014, 8:30am

I see a new set of CWAF rules available today … any feedback from those who have implemented it in their live environments - especially with any issues from WordPress & WHMCS - would appreciate it.

Thanks in advance.

MoovIt · May 7, 2014, 10:00am

Dmitry has done a good job fixing the previous bugs 1.08 is working fine my end no FP for Wordpress, Joomla, WHMCS or Livehelp

I excluded any FP in 1.06 and sent a copy of those logs in to help troubleshoot errors!

wtleaver · May 7, 2014, 5:58pm

I decided to try 1.08 on a single server based on this thread, but shortly after started getting reports of false positives. So far they are all with WordPress, for these rule IDs (so far):

210250
211530
211560
213030

wtleaver · May 7, 2014, 6:59pm

More false positives, this time for Joomla:

211300
214480

Webdomain.com · May 7, 2014, 7:23pm

We also had to disable WAF.
Too many false positives for Wordpress as well as for Xenforo.
For exemple: 212490 when inserting an image to a thread.

Webdomain.com · May 7, 2014, 7:25pm

or 212730 by editing a post with an image inside…
Or 214480 blocks images on a CDN…

TDmitry · May 7, 2014, 10:34pm

Please, fill the form at https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/falsepositive-report-thread-t104373.0.html for these following rules:
211530
212730

intellitech · May 8, 2014, 8:01am

Thanks everyone … it’s good to know that 1.08 is much better … I think I might hold off implementation just a little bit longer or risk customer support queries for WordPress issues …

Webdomain.com · May 8, 2014, 1:14pm

Yes you are right. Actually we received so many complaints from customers, we had to completely disable WAF to avoid each and every Apps being blocked…

TDmitry · May 8, 2014, 2:14pm

If it is possible - send me all rules ids which produce false positives. We will make check for each case.

Webdomain.com · May 8, 2014, 6:23pm

Thank you Dimitry but actually they were to numerous to spell them all (I guess we received since yesterday a notification of false positive each 15-20 minutes!!!).
It was easier to disable WAF completely.
Beside this, as reported in another thread of mine, the local rule exclusion function doesn’t work and we always had to exclude the rules globally.

designcentre · May 9, 2014, 8:16pm

I was exactly the same too many false positives to report, I’ve just kept 0.48’s ruleset running as I don’t want to start cheesing off customers again.

Webdomain.com · May 10, 2014, 2:03pm

How can we downgrade back to 0.48?

brijendrasial · May 10, 2014, 10:32pm

There is no option to downgrade rules in new installer. may be he is using old installer