Wrong rule set?

snewtonge · April 5, 2018, 11:15pm

I’m using CWAF as a modsec vendor in cPanel for quite a while now using the following:

https://waf.comodo.com/doc/meta_comodo_apache.yaml

Now in about the past ~24 hours I’m seeing some general weirdness.

Looking into the issue, I’ve noticed the following in the logs:

Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); CWAF_Nginx.

I’m using Apache, not NGINX in any way, so I would think there should be no reason to be seeing that.

Looking at the rule set file “00_Init_Initialization.conf” I also see:

SecComponentSignature “CWAF_Nginx”

Was there a mixup on your end and the update issued the Apache rule set using the rule set for NGINX instead of Apache?

snewtonge · April 6, 2018, 1:03pm

I manually downloaded the rule set for Apache and the file “00_Init_Initialization.conf” has the following:

SecComponentSignature “CWAF_Apache”

So the ModSecurity vendor rule set being automatically downloaded in cPanel is obviously the wrong one.

Any help on this?

snewtonge · April 6, 2018, 2:16pm

I was able to fix this by deleting the modsec vendor in cPanel and re-adding it.

Serhyo · April 6, 2018, 2:17pm

Hello snewtonge. We couldn’t reproduce this event. Looks like you installed cwaf client on nginx and after that switched webserver to apache.
Please provide version of Apache, cPanel and cwaf client.

snewtonge · April 6, 2018, 4:16pm

Nope. Never had NGINX and as I mentioned in my original post, I am using Comodo as a ModSecurity vendor in cPanel, not the CWAF client.

I have been using the same configuration for over a year without issue. It seems to have begun with update to Version 1.160

It’s like someone at Comodo accidentally copied the new 1.160 NGINX rule set to the Apache set instead of the NGINX rule set and my servers all downloaded it before the mistake was noticed on your end and corrected.

So the only thing I could do was remove the ModSecurity vendor in cPanel and re-add it to update the rule set to the correct one.

Serhyo · April 10, 2018, 9:30am

If issue not solved with client reinstallation then please create ticket on
https://support.comodo.com
in WAFs section with link on this topic for elevation of priority of this issue.

Jerry78 · April 23, 2018, 1:36pm

On 6 servers running cpanel with apache (NO nginx) and updates through WHM (no CWAF client) we see the same problem.

-rw-r–r-- 1 root root 3149 Apr 23 00:34 /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf

In the above file we see:
SecComponentSignature “CWAF_Nginx”

Serhyo · April 30, 2018, 1:05pm

Hello Jerry78.
If it possible please share content of /etc/cwaf/main.conf file.

heliostorm · April 30, 2018, 2:00pm

Hi SergeiP, I think you misunderstood Jerry78? None of the people in this thread have CWAF installed- we’ve all installed the COMODO ModSecurity Apache Rule Set as a vendor in WHM (no CWAF client) as per this link: Comodo Help. We don’t have a /etc/cwaf/ directory because the CWAF app isn’t installed.

I can also confirm I’m seeing the exact same issue. I’m running Apache (NO nginx). The top of my /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf reads:

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2018 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecComponentSignature "CWAF_Nginx"

Note the SecComponentSignature “CWAF_Nginx”

It seems like someone uploaded the wrong files when they updated https://waf.comodo.com/doc/meta_comodo_apache.yaml ?

Serhyo · April 30, 2018, 3:12pm

We updated file meta_comodo_apache.yaml. Please verify did that help. Thank you.

heliostorm · April 30, 2018, 3:34pm

Thanks! Just removed and re-added the rules and they seem to be the correct files now. Will let you know if there are any problems.

Jerry78 · May 3, 2018, 9:03am

After yesterdays update it broke again! :-TD

-rw-r–r-- 1 root root 3149 May 2 17:06 /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf

The file show AGAIN: SecComponentSignature “CWAF_Nginx”

Serhyo · May 3, 2018, 11:42am

meta_comodo_apache.yaml updated. Sorry for inconvenience.