OFF rules still processed but not blocked?

Current rules version 1.18
CWAF plugin version 1.10

I have bruteforce rules turned off (default). But my /usr/local/apache/logs/modsec_audit.log and /usr/local/apache/logs/error_log clearly have entries where these rules are matched, below are two examples:

error_log:[Sun Sep 14 14:19:35 2014] [error] [client 113.206.168.241] ModSecurity: Access denied with code 403 (phase 1). Operator EQ matched 0 at IP. [file “/var/cpanel/cwaf/rules/cwaf_06.conf”] [line “19”] [id “230000”] [msg “COMODO WAF: Brute Force Attack Identified from 113.206.168.241 (1 hits since last alert)”] [hostname “xxx.com”] [uri “/wp-login.php”] [unique_id “VBXcN0CDSo4AAHVgcdoAAAAW”]

modsec_audit.log-20140914:Message: Warning. Operator GE matched 2 at IP:brute_force_burst_counter. [file “/var/cpanel/cwaf/rules/cwaf_06.conf”] [line “80”] [id “230007”] [msg “COMODO WAF: Potential Brute Force Attack from 199.48.161.87 - # of Request Bursts: 2”]

Are these rules active when their status is OFF in WAF?

The reason I’m even poking around is because I have my own, low impact login protection for wp-login.php and would like WAF to skip these rules. But as it turned out these rules already are off, yet they seem not to be off. I’ve seen a load increase since I started using WAF and I believe it is due to the more server intensive mod_security handling the brute force wp-login.php attacks rather than letting them pass through to my less taxing counter measures.

So, does OFF status mean WAF still finds and matches the rule, but simply doesn’t block the request / IP? I am confused. :slight_smile:

Thanks

Please, see your PM.
We’ve sent a request.

We’ve seen your config files. They are correct. I suppose the problem is that in conf file with excluded rules directive is used. Please, see the next link.
http://www.helicontech.com/isapi_rewrite/doc/LocationMatch.htm

I don’t understand your response. I did not hand edit any of the conf files, all changes were done through the CWAF cPanel interface. If there is an issue with a directive then please explain what that issue is.

Again, why are rules that are OFF showing up in log files?

Thank you.

Thanks a lot for your bug-report.
We’ve cheked and found these rules are not excluded.
You can just rename /var/cpanel/cwaf/rules/cwaf_06.conf in /var/cpanel/cwaf/rules/cwaf_06.conf.sav and restart your web-server.
We’ll try to find a solution before the next update.

Thank you

Hello

This issue is not solved, we are waiting a solution but there are false positives with the 230000 and 230007 rules in Joomla.
When this issue will be solved?

Thank you

Hello.
We’ve fixed bug with rules exclusion, so you can exclude any rules with false-positives you supposed.

Hello

I have using the exclusion section but with the 230000 anmd 230007 rules are nor working and I don’t know why.
Please, see my screenshots.

Comodo Waf

http://i57.tinypic.com/r0tn2r.png

Mod_security

http://i62.tinypic.com/205cayp.jpg

Thank you

Please, send me in PM your /var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf

Ok, PM sent…

We checked our test-server with your exclude list and found that all rules blocked. Could you submit a ticket here Submit a ticket - Powered by Kayako Help Desk Software and give us ssh to your server?