Help understanding rules and their meaning

Rory2000 · September 21, 2016, 7:59am

Hi

A user to my forum keeps triggering this rule, and then he gets blocked. He is a regular member.

I am unsure what this rule is for exactly…
Where can i find out an explanation on this rule and others ?

I am running the latest version of cPanel with the following activated:

COMODO ModSecurity Apache Rule Set
COMODO ModSecurity Rules for Apache

and

ConfigServer
ConfigServer cXs ModSecurity rule

Here is the message:

[Mon Sep 19 17:24:54.472350 2016] [:error] [pid 30581] [client 86...20] ModSecurity: Access denied with code 403 (phase 2). Match of “ge 1” against “&ARGS_POST:pagetext” required. [file “/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf”] [line “64”] [id “210380”] [rev “3”] [msg “COMODO WAF: URL Encoding Abuse Attack Attempt||www.MYWEBSITE.com|F”] [severity “WARNING”] [hostname “www.MYWEBSITE.com”] [uri “/ajax.php”] [unique_id “V[at]ARVgvYeTf-futgj0LNFwAAABI”]

then this happens and he is blocked…

Sep 19 18:14:53 vps****** lfd[27908]: (mod_security) mod_security (id:210380) triggered by 86...20 (GB/United Kingdom/cpc75655-alde5-2-0-cust787.6-2.cable.virginm.net): 5 in the last 3600 secs - Blocked in csf [LF_MODSEC]

Thanks for your help
// :-\

Rory2000 · September 22, 2016, 1:16pm

Hi

Does anyone know anything about these?

Im also getting the following and had to add the ID’s to the white list as i cannot find anything out about the rules???

82.42.201.187 # lfd: (mod_security) mod_security b[/b] triggered by 82.42.201.187 (GB/United Kingdom/cpc4-know14-2-0-cust442.17-2.cable.virginm.net): 5 in the last 3600 secs - Wed Sep 21 14:40:11 2016

79.73.244.152 # lfd: (mod_security) mod_security b[/b] triggered by 79.73.244.152 (GB/United Kingdom/79-73-244-152.dynamic.dsl.as9105.com): 5 in the last 3600 secs - Wed Sep 21 18:31:59 2016

72.76.221.220 # lfd: (mod_security) mod_security b[/b] triggered by 72.76.221.220 (US/United States/pool-72-76-221-220.nwrknj.fios.verizon.net): 5 in the last 3600 secs - Thu Sep 22 00:01:13 2016

74.208.218.66 # lfd: (mod_security) mod_security b[/b] triggered by 74.208.218.66 (US/United States/-): 5 in the last 3600 secs - Thu Sep 22 01:58:38 2016

90.217.166.143 # lfd: (mod_security) mod_security b[/b] triggered by 90.217.166.143 (GB/United Kingdom/5ad9a68f.bb.sky.com): 5 in the last 3600 secs - Thu Sep 22 10:56:08 2016

177.12.172.43 # lfd: (mod_security) mod_security b[/b] triggered by 177.12.172.43 (BR/Brazil/web1204.kinghost.net): 5 in the last 3600 secs - Thu Sep 22 11:42:20 2016

akabakov · September 22, 2016, 1:37pm

Hi!

Rule 210380 prevents from URL Encoding Abuse Attack Attempts.
Rule 210410 Invalid character in request
If you supposed false-positive you can exclude these rules. Unfortunately you need to turn off file 12_HTTP_Protocol.conf in ModSecurity Vendors with all rules in it.
All rules are located in /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/
Here you can find any of them.