Rule can't be disabled


We have a DirectAdmin server, mod_sec and the comodo rules installed through custombuild on command line, we’re using CWAF 2.17 and rules 1.77.

We have an application on the server (Moodle) which is triggering SQL rule 211540. We wanted to disable this rule on this domain, so using the “Catalog” tab in the CWAF plugin we found the domain and the rule, disabled it and applied the changes. However, the logs say that this rule 211540 is still being triggered.

We then changed the global config to remove that rule … logs still say its being triggered.

We then disabled every category using the CWAF plugin, and the rule is still being triggered.

/usr/local/cwaf/etc/httpd/global/zzz_exclude_global.conf contains a line SecRuleRemoveById which lists the rule id, amongst a few others.

I don’t want to uninstall the rule set or mod security. Has anyone got any ideas where I could troubleshoot.

The url doesn’t get blocked every time its requested, if you load the page and refresh, around 1 in every 2 requests gets a 403, the other loads fine.

This is the entry in the log:
20160524-012123-V0Oeg1vu0QkAAA3XT4kAAAAB:Message: Access denied with code 403 (phase 2). Pattern match “(?i:\b(?:t(?:able_name\b|extpos[^a-zA-Z0-9_]{1,}\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o …” at ARGS_NAMES:rownum. [file “/usr/local/cwaf/rules/23_SQL_SQLi.conf”] [line “18”] [id “211540”] [rev “5”] [msg “COMODO WAF: Blind SQL Injection Attack”] [data “Matched Data: rownum found within ARGS_NAMES:rownum: rownum”] [severity “CRITICAL”]

The URL being accessed is:

Any assistance would be most appreciated.


I think we may have just answered this for ourselves.

It appears that neither the CWAF plugin, nor DirectAdmin, nor “/sbin/service httpd restart” made Apache restart using the updated config.

“killall httpd”, then “/sbin/service httpd restart” appears to have made it load the new config, and the rule we wanted disabled appears to now not get triggered.

I reproduced rules excluding issue with the same environment and got positive result without manual web-server restart.

I’m not exactly sure what the cause is here, but I think it may be related to the graceful restarts default in CentOS7+

See: Option for graceful restart for apache

At the bottom it says about graceful being the default with systemd. I wonder if the graceful is not reloading the rules for some reason.

I was rather confused by it, and since then I’ve disabled a rule on another server (CentOS 6 this time) and its worked perfectly without manual restarts.