Installed CWAF on cPanel. Installation went smoothly, however I’m seeing most rules being logged in modsec_audit.log but the requests are not being denied. For example. when I perform a test on the rule:
[client xxxxxxxxxx] mod_security: Blocked , [Rule: 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:text_message' '(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')'] [ID "211580"] [Msg "COMODO WAF: SQL Injection Attack"] [severity "CRITICAL"] [MatchedString "b AND 1=1"]
Note how it says “Blocked” here. I didn’t receive a 403 error but it seems the request went through just fine.
On the other hand, certain rules are triggering ‘Deny’ rules and a 403 error, such as:
[client 199.15.233.140] mod_security: Access denied with code 403, [Rule: 'Request_URI' '(media|post|post_new)\.php'] [ID "220830"] [Msg "COMODO WAF: Blocking XSS attack"] [severity "WARNING"] [MatchedString "/wp-comments-post.php"]
Why are some working and others not? Is there a problem with the default action and Litespeed?