Hi,
We have a DirectAdmin server, mod_sec and the comodo rules installed through custombuild on command line, we’re using CWAF 2.17 and rules 1.77.
We have an application on the server (Moodle) which is triggering SQL rule 211540. We wanted to disable this rule on this domain, so using the “Catalog” tab in the CWAF plugin we found the domain and the rule, disabled it and applied the changes. However, the logs say that this rule 211540 is still being triggered.
We then changed the global config to remove that rule … logs still say its being triggered.
We then disabled every category using the CWAF plugin, and the rule is still being triggered.
/usr/local/cwaf/etc/httpd/global/zzz_exclude_global.conf contains a line SecRuleRemoveById which lists the rule id, amongst a few others.
I don’t want to uninstall the rule set or mod security. Has anyone got any ideas where I could troubleshoot.
The url doesn’t get blocked every time its requested, if you load the page and refresh, around 1 in every 2 requests gets a 403, the other loads fine.
This is the entry in the log:
20160524-012123-V0Oeg1vu0QkAAA3XT4kAAAAB:Message: Access denied with code 403 (phase 2). Pattern match “(?i:\b(?:t(?:able_name\b|extpos[^a-zA-Z0-9_]{1,}\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o …” at ARGS_NAMES:rownum. [file “/usr/local/cwaf/rules/23_SQL_SQLi.conf”] [line “18”] [id “211540”] [rev “5”] [msg “COMODO WAF: Blind SQL Injection Attack”] [data “Matched Data: rownum found within ARGS_NAMES:rownum: rownum”] [severity “CRITICAL”]
The URL being accessed is:
http://[domain]/mod/assign/view.php?id=42&rownum=0&action=grade&useridlistid=57439e512869a051383325
Any assistance would be most appreciated.
Thanks