Exclusion Manager not excluding Ver 0.34

Hi Yah,

This is now the 2nd time that this has happened, have added exclusions to the appropriate place saved, restarted apache. Cleared any Joomla cache & browser cache, done the same operation and still get dropped, when I check the logs it’s dropping me for the rule I added to the exclusion list earlier.

The only work around I have is to disable CWAF do the change/update save then reactivate it again.

Is anyone else having issues with exclusion manager not excluding the rules ?

Yes, current version has this issue. New client side scripts/plugin will be released in the near days.

Installed the new install script this morning, the exclusion list entries didn’t get wiped BUT it doesn’t exclude the rules entered for example I have the following in the exclusion list:


But when you check the logs you still see WAF processing the rule rather than excluding it :frowning:

xxx.xxx.xxx.xxx 211528 [24/Jan/2014:14:12:01 +1300]
Match of “rx ://%{SERVER_NAME}/” against “REQUEST_URI:/url/” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “6610”] [id “211528”] [msg “COMODO WAF: Blocking remote inclusion in arguments”] [data “/administrator/index.php?option=com_installer&view=install”] [severity “CRITICAL”]

Now the 211528 rule is a real pain in the ■■■■…it drops Joomla when you try to save any changes to the global config. On a fresh install when you try to activate the “Install from Web” tab it bombs out, after disabling then reactivating CWAF to activate this in Joomla, I try installing JCK, plus several other modules/plugins every time you click the “Install” button CWAF bombs joomla making it a real pain to install anything.

Why isn’t the exclusion manager not working properly ?
Can you remove the rule 211528 for now so at least Joomla becomes workable again or sort the rule so it stops bombing Joomla out


I have: Include /usr/local/apache/conf/modsec2.whitelist.conf in my modsec2.usr.conf, I’ve added the 211528 to that, saved and restarted http yet it still doesn’t exclude that rule, joomla still gets 403’s :frowning: So basically if I try to exclude a list via CWAF Exclusion manager or the whitelist it doesn’t


If you have used our installation script, your current configuration is not included into your “modsec2.usr.conf”, so your “modsec2.whitelist.conf” don’t work

Install script makes backup and create a new mod_security configuration file /usr/local/apache/conf/modsec2.conf

So, first you may look to this file and see includes. If you didn’t change it manually, it should have only one include:

Include "/var/cpanel/cwaf/etc/cwaf.conf"

Then you may look to /var/cpanel/cwaf/etc/cwaf.conf. If you didn’t change it manually, it should have:

Include /var/cpanel/cwaf/rules/*.conf Include /var/cpanel/cwaf/etc/httpd/global/*.conf

/var/cpanel/cwaf/rules/.conf - files of Comodo rules.
.conf - exclude lists.

In the plugin, on “Configuration” bookmark you may see path to the current exclude list, by default: etc/httpd/global/zzz_exclude_global.conf

Next update should fix problems with rule 211528.

Standard cpanel install with no change to any of your installation scripts or configs…the only thing that changed PRIOR to my initial install of CWAF was the call to the ASL Delay rules folder


LoadFile /opt/xml2/lib/libxml2.so

LoadFile /opt/lua/lib/liblua.so

LoadModule security2_module modules/mod_security2.so

SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecRequestBodyAccess on
SecDataDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Include “/var/cpanel/cwaf/etc/cwaf.conf”


SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 220621440
SecServerSignature Apache
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator “&”
SecCookieFormat 0
SecRequestBodyLimit 220621440
SecRequestBodyInMemoryLimit 220621440
LimitRequestBody 0
LimitRequestBody 134217728
SecDataDir /var/asl/data/msa
SecUploadDir /var/asl/data/suspicious
SecTmpDir /tmp
SecAuditLogDirMode 0777
SecAuditLogFileMode 0550
SecAuditLogStorageDir /var/asl/data/audit
SecAuditLogType Serial
SecResponseBodyLimitAction ProcessPartial
Include /usr/local/apache/conf/modsec2.whitelist.conf

Path to log directory: /var/log/CWAF
Rules path: /var/cpanel/cwaf
Exclude conf: etc/httpd/global/zzz_exclude_global.conf

The exclude file does not exist in that folder as it hasn’t been created in the installation, the zzz_exclude_global.conf can be found in: /var/cpanel/cwaf/etc/httpd/global

So which path is correct ? I have already mention where this file resides in other posts. If I change the path to /var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf , then save I get an error message stating it cannot find the conf file !!!

All I know is that whatever rules I add to the exclusion list they are not being read and those rules are still being processed by modsec and causing 403’s, making joomla a pain in the ■■■■ to use.

root [/etc/httpd]# locate zzz_exclude_global.conf
root [/etc/httpd]# _

Don’t need to change path to exclude list, because it’s specified as a relative, so “etc/httpd/global/zzz_exclude_global.conf” it’s correct path. Full path is really “/var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf”

Please restore default path to exclude list to: “etc/httpd/global/zzz_exclude_global.conf”. Then try to edit exclude list through plugin in such way:

<LocationMatch .*> SecRuleRemoveById 211528 SecRuleRemoveById 211184 SecRuleRemoveById 211194 </LocationMatch>

Check working of rules after saving excludes and restarting Apache.

Your file “Modsec2.user.conf” is not included in your configuration, so these options are not working. You may try add include in the “modsec2.conf”:

Include “/usr/local/apache/conf/modsec2.user.conf”

Hi Yah,

I figured out the path was relative (silly me), have modified the CWAF Exclusion list manager with the additional <LocationMatch .*> & plus added Include “/usr/local/apache/conf/modsec2.user.conf” to the modsec2.conf and all seems to be working fine now…thank you very much :slight_smile: