Feedback on CWAF, updates and rule reporting

I just wanted to give you some feedback on your CWAF offering from a host provider perspective.

  1. The install, configuration and UI: Install was easy and the UI and configuration aspect is very good. Thumbs up there! Where it falls short is that client/plugin updates cause the modsec2.conf file to be completely regenerated from scratch. We add a single line to this in order to use the modsec plugin from configserver to manage logs and rule exceptions (we prefer it to yours, honestly). Having a way to include additional conf lines that survive an upgrade or rebuild would be fantastic.

  2. The updates/changelog to the client on your forums: This really needs to be more detailed and verbose. Lines like “Improvements & bug fixes” tell us nothing, and it makes it impossible to figure out if we should or need to upgrade. Please consider providing much more detailed information so we can evaluate whether an upgrade is important.

  3. The updates/changelog to your rules on your forums: Again, this needs to be more detailed and verbose. “False positives fixed” tells us absolutely nothing. Which false positives? I can’t be the only one who has a list of “broken rules” of which we are awaiting fixes. Knowing which false positives have been corrected would let us know if we can re-enable the rule again or not - otherwise there’s simply no tracking of anything and it’s impossible for us to know if we can turn the rule back on or not.

Ideally we want to be in a situation where rules do not stay permanently disabled, or that defeats the purpose of the system.

  1. Rule reporting: This one is a little tricky. We’ve submitted lots of tickets to you for false positive reports, and we’ve been told it’s better to post on the forum. The problem with this is that sometimes the reports contain potentially sensitive information, such as client text or client code (especially for a POST request, for example). This code is really needed to be included in the report so you guys have a better understanding of why the rule was triggered in the first place. If we scrub it out for the forum, you may ignore the report or not see it in the context that’s needed. I agree it makes sense for people to be able to communicate and share information about broken rules on the forum but a compromise needs to be reached somewhere. Any ideas?

  2. Staff activity: The false positive report thread hasn’t been acknowledged by any rule maintainers for around 2 months now. There have been many reports but no responses by a member of staff. If you want us to report rules, can we at least get some semi-frequent feedback on these?

Overall we’re happy with CWAF and look forward to hopefully using and contributing to it (in terms of false positive monitoring) for a long time. I know things are still early days but I think the above are the important issues that need addressing sooner rather than later.

Thank you for such a detailed feedback.

All these issues are important and we’ll working on them.

1-3 issues can be resolved in the near future.

As about rule reporting (4). We have a 3 feeds of user feedbacks:

  • User feedback from client interface.
    Here you may post all your sensitive information. Rule writers regularly review these feedbacks. But often guys need additional information from the client. It’s possible only if you post your real email in the feedback.

  • CWAF support.
    It’s a special trouble ticket system which help user to resolve all issues with CWAF system. Of course, in a question of false positive rule, staff person just recommends you to disable this rule and forwards FP details to Rule writers.

  • Forum.
    We use this source to see common problems detected by many users and get user wishes.

As about staff activity (5). Development and testing of good functional protection rules it’s the main and the most difficult our work. We are working on improvement of this process.

Also, since version 1.9 you may add additional excludes of protection rules: ‘Userdata’ → ‘Custom Rules’

which will be stored in he local file:


It’s a way to resolve this issue.

Thanks for your response. I wasn’t aware the “Custom” section could be used to add Include lines for other files, that’s very useful - thanks.

In regards to the rule reporting, the problem with using the “Feedback” section is that there’s no feedback on this. When reporting rules, it’s nice to hear that the report has been received and it’s being looked into, otherwise it just feels as if the reports go nowhere and we don’t know if they’ll be fixed. Of course, this is my opinion, perhaps others will disagree.

The real issue I had was when I submitted a ticket I was basically told “Use the forum” and it felt like you didn’t want me opening tickets about these false positives. The only reason I’ve been continuing to do so is as I mentioned, some of the information (particularly the sensitive POST data) may be needed by the rule writers to fix the rule. I can’t post that information on a public forum as it’s potentially sensitive for my clients. I don’t want to cause you guys any additional work so you can you confirm if tickets regarding false positives is OK?

Be sure all your posts into “Feedback” section staying in private and all of them are processed by ours team members. But we are not fixing each reported FP, some of them didn’t contains enough information to fix, some of them worked as designed, others still getting statistics. If some question will occur then we will mail it to email address stored in your account information.

So to report false positives it is better to use “Feedback” section. If your wish to make discussion you can cut all private information and post it on forum with proper questions. It is better to use CWAF support on technical questions except FPs, because support requires immediate resolve.