rule 218500 not found?

a client keeps getting blocked, but when i search for this rule none are found

csf.deny: 176.xxx.xxx.xxx # lfd: (mod_security) mod_security (id:218500) triggered by 176.xxx.xxx.xxx : 5 in the last 3600 secs - Thu Nov 5 11:19:04 2015

Hi

Can you please provide us additional info:

  • Your OS type and version
  • Web server type and version
  • Web management panel if any (cPanel, Plesk, DirectAdmin etc)
  • How CWAF rules are installed (Plugin, vendor)
  • Version of CWAF rules

Thank you in advance.

Regards, Oleg

Hi

cloudlinux 6.7
litespeed 5.0.7
cpanel / WHM 11.52.0 (build 21)
Current rules version 1.52 (Latest version)
CWAF plugin version 2.13

not sure what you mean about “How CWAF rules are installed (Plugin, vendor)” we only are using comodo and i think its all the default rules

Could you provide audit log of these events so we would be able to analyze that issue.

Thank you for info provided.
If you provide us audit log we can fix false positives for this rule.

About rule disabling.
You are trying to search rule by id in CWAF Plugin?
I installed the same config and found rule in Category: SQL, Group: SQLi

Here is screenshots attached.

Regards, Oleg

[attachment deleted by admin]

hi, yes im trying through the cwaf plugin but it just says error no rule found… why is it not showing in the interface?


i and i beleive this is the audit log

–69cf2872-A–
[05/Nov/2015:09:57:41 +0000] - 176.251.121.34 51779 80.84.52.154:80 80
–69cf2872-B–
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.telfordtherapynetwork.com
Connection: keep-alive
Content-Length: 2464
Accept: application/json, text/javascript, /; q=0.01
Origin: http://www.telfordtherapynetwork.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://www.telfordtherapynetwork.com/wp-admin/admin.php?page=tablepress&action=edit&table_id=53
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: wordpress_b84ce868ddb12b5eef3a59ee8e85dbc8=telfordtherapynetwork%7C1446890142%7CioUAJYYuYYYCb8xYcVWGJG7VhKO9CfS2CZT7kGzunsD%7C85d37eae33eb2db96395df2c41e3cf60f66c7e719d3e31d0dd2cbe6c7b016713; wp-settings
-4=align%3Dcenter%26galcols%3D1%26galord%3Dtitle%26urlbutton%3Dnone%26wplink%3D1%26hidetb%3D1%26editor%3Dtinymce%26ngg_upload_resize%3D1%26libraryContent%3Dbrowse%26imgsize%3Dthumbnail%26mfold%3Do%26advImgDetail
s%3Dshow; wp-settings-time-4=1442322011; _pk_ref.56.580d=%5B%22%22%2C%22%22%2C1446712908%2C%22http%3A%2F%2Fwww.youreiki.co.uk%2F%22%5D; _pk_id.56.580d=f6251585089ee075.1433765964.57.1446712911.1446712908.; wordp
ress_test_cookie=WP+Cookie+check; wordpress_logged_in_b84ce868ddb12b5eef3a59ee8e85dbc8=telfordtherapynetwork%7C1446890142%7CioUAJYYuYYYCb8xYcVWGJG7VhKO9CfS2CZT7kGzunsD%7Ccc300a371a9c8afa920c994f7cfd2b26a9e5ec3ff
b7e38684ae47a929c0d298d

–69cf2872-F–
HTTP/1.1 403 Forbidden

–69cf2872-H–
Message: Access denied with code 403, [Rule: ‘ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:
text_message|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/pk_ref/’ ‘@rx [[]"’,().]{10}$|(?:union\s+all\s+select\s+(?:(?:null|\d+),?)+|order\s+by\s+\d{1,4}|(?:and|or)\s+\d{4}=\d{4}|waitfor\s+delay\s+‘\d+:\d+:
d+’|(?:select|and|or)\s+(?:(?:pg
)?sleep(\d+)|\d+\s
=\s*(?:dbms_pipe.receive_message((?:chr(\d+)(?:\s*||\s*)?),\d+)|(select\s+\d+\s+from\s+pg_sleep(\d+)))))(?:\s(?:and|or)\s+(?(?:(\d{4})=\1|’(\w{
4})‘=’\2|‘%’=‘)|–\s*\w*|#)$|(select\s*(case\s+when\s*(\d+\s*=\s*\d+)\s+then\s+\d+\s+else\s+(?:0x[\0-9a-h]+|\d+)\s+end))|(?:(?:and|or)\s+(?’?(?:\w{1,4}|%)‘?)?(?:=|<|>)(?’?\w{0,4}‘?)?|order\s+by\s+\d+)(
?:#|–\s*\w{0,4})?$’] [id “218500”] [msg “COMODO WAF: SQLmap attack detected”] [severity “CRITICAL”] [MatchedString “[[“november”,“usui reiki training - all levels”],[“mon 23rd\n\n7:00 - 9:00pm “,“wellington”],[
“<a href="http://www.telfordtherapynetwork.com/wp-content/uploads/2015/07/jayne-small.jpg\”><img src="http://www.telfordtherapynetwork.com/wp-content/uploads/2015/07/jayne-small-150x150.jpg\” alt="jayne small
" width="150" height="150" class="aligncenter size-thumbnail wp-image-1567" />”,“courses are structured, methodical and one to one. delivered over a period of time to assimilate learning and verified
by the uk reiki federation, meet national standards and the core curriculum for reiki. acceptd by the cnhc for inclusion onto the national register of practitioners. training at all levels is available and in ot
her forms of reiki, such as angelic and crystal reiki and more. please visit the website, call or e-mail for further details. free training inductions are available, with no obligation, to help you make an info
rmed decision about your reiki journey.”],[”(from) £295",“<a href="http://www.youreiki.co.uk/\” target="_blank">contact jayne“],[”“,”“]]”]
–69cf2872-Z–

Thank you for audit log.

About rule not found.
This can be because of broken rules cache.
To fix it please delete (or move to different location) following files, located in /var/cpanel/cwaf/tmp/CACHE:
categories.cache children.cache groups.cache rules.cache

After that please run CLI script to fill cache files with new values:

# /var/cpanel/cwaf/scripts/cwaf-cli.pl -xa 218500

If this not help to restore rule 218500 just add this to /var/cpanel/cwaf/etc/httpd/custom_user.conf to turn it off.

SecRuleRemoveById 218500

Best regards, Oleg