Wrong rule set?

I’m using CWAF as a modsec vendor in cPanel for quite a while now using the following:


Now in about the past ~24 hours I’m seeing some general weirdness.

Looking into the issue, I’ve noticed the following in the logs:

Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); CWAF_Nginx.

I’m using Apache, not NGINX in any way, so I would think there should be no reason to be seeing that.

Looking at the rule set file “00_Init_Initialization.conf” I also see:

SecComponentSignature “CWAF_Nginx”

Was there a mixup on your end and the update issued the Apache rule set using the rule set for NGINX instead of Apache?

I manually downloaded the rule set for Apache and the file “00_Init_Initialization.conf” has the following:

SecComponentSignature “CWAF_Apache”

So the ModSecurity vendor rule set being automatically downloaded in cPanel is obviously the wrong one.

Any help on this?

I was able to fix this by deleting the modsec vendor in cPanel and re-adding it.

Hello snewtonge. We couldn’t reproduce this event. Looks like you installed cwaf client on nginx and after that switched webserver to apache.
Please provide version of Apache, cPanel and cwaf client.

Nope. Never had NGINX and as I mentioned in my original post, I am using Comodo as a ModSecurity vendor in cPanel, not the CWAF client.

I have been using the same configuration for over a year without issue. It seems to have begun with update to Version 1.160

It’s like someone at Comodo accidentally copied the new 1.160 NGINX rule set to the Apache set instead of the NGINX rule set and my servers all downloaded it before the mistake was noticed on your end and corrected.

So the only thing I could do was remove the ModSecurity vendor in cPanel and re-add it to update the rule set to the correct one.

If issue not solved with client reinstallation then please create ticket on
in WAFs section with link on this topic for elevation of priority of this issue.

On 6 servers running cpanel with apache (NO nginx) and updates through WHM (no CWAF client) we see the same problem.

-rw-r–r-- 1 root root 3149 Apr 23 00:34 /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf

In the above file we see:
SecComponentSignature “CWAF_Nginx”

Hello Jerry78.
If it possible please share content of /etc/cwaf/main.conf file.

Hi SergeiP, I think you misunderstood Jerry78? None of the people in this thread have CWAF installed- we’ve all installed the COMODO ModSecurity Apache Rule Set as a vendor in WHM (no CWAF client) as per this link: Comodo Help. We don’t have a /etc/cwaf/ directory because the CWAF app isn’t installed.

I can also confirm I’m seeing the exact same issue. I’m running Apache (NO nginx). The top of my /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf reads:

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2018 Comodo Security solutions All rights reserved.
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecComponentSignature "CWAF_Nginx"

Note the SecComponentSignature “CWAF_Nginx”

It seems like someone uploaded the wrong files when they updated https://waf.comodo.com/doc/meta_comodo_apache.yaml ?

We updated file meta_comodo_apache.yaml. Please verify did that help. Thank you.

Thanks! Just removed and re-added the rules and they seem to be the correct files now. Will let you know if there are any problems.

After yesterdays update it broke again! :-TD

-rw-r–r-- 1 root root 3149 May 2 17:06 /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf

The file show AGAIN: SecComponentSignature “CWAF_Nginx”

meta_comodo_apache.yaml updated. Sorry for inconvenience.