Rule 210230 - Severity critical but never blocked

I am getting numerous hits from the same IP address that trigger this rule on multiple sites on my VPS. CWAF says Severity is CRITICAL, but the connection is still allowed (200). What do I do to make this trigger a block instead of allowing the connection?

At this point you can change rule

SecAction \
	"id:'210025', \
	phase:1, \
	pass, \
	setvar:tx.points_blocking=off, setvar:tx.process_response=off, \
	nolog, \
	t:none"

to set tx.points_blocking=on or write your own. Additionally you must be sure, that “Incoming” rules group is enabled.

Where would I find this to change it? The rules are installed in WHM and I don’t have any place to “edit” the existing rules.

You can find cwaf_01.conf manually

The rule in questions reads as follows…nothing like your example, so I have no idea what needs to be changed to make it block.

SecRule REQBODY_ERROR “!@eq 0”
“id:210230,
msg:‘COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.’,
phase:2,
severity:2,
pass,
setvar:tx.points=+%{tx.points_limit4},
logdata:‘%{REQBODY_ERROR_MSG}’,
t:none”

I completely understood your question. The reason why you have to modify 210025 instead of 210230 in that the rule 210230 can’t block, it only increases the transaction points to critical level. But the blocking of this issue is disabled by default in rule 210025.

Understood. When I make that change, just “off” to “on”…Apache will no longer start. Is there anything special I need to do other than upload the changed file and restart Apache?

It should start. Can you post error that apache saying?