cPanel ModSecurity False Positives & Missing Data...

[RyanR]

Hi,

My server runs the following ModSecurity Rules:

• Imunify360 LiteSpeed Rule Set (Minimized ModSec Ruleset)
• COMODO ModSecurity LiteSpeed Rule Set

I had to disable the following rule set because it was causing a LOT off false positives within our WordPress websites, to the extent that we couldn't publish any pages

• OWASP ModSecurity Core Rule Set V3.0
• I'd like to be able to re-enable the above ruleset if I could get those false positives fixed with the providers.

I've also had to disable all of the following rules globally:

• 17350
• 210380
• 210492
• 25178
• 28292
• 60050
• 62100

Most of those were because whenever we published pages with Elementor it was throwing 403 errors...

One particular site required the following rules to be disabled because it too was throwing 403 errors when editing pages, this time though it wasn't using Elementor.

• 941100
• 941160

How should I report these false positives, and to who? We'd like to get them resolved so we can have the protection of those rules.

--------------------------------------------------

All of those above false positives threw up notifications from within /usr/local/apache/logs/modsec_audit.log, however most of them did NOT throw up notifications from within the ModSecurity™ Tools "Hits List" page... which made them rather annoying to find and fix.

They do however appear in ConfigServer's Security & Firewall plugin, which was better but not perfect.

How can I make ModSecurity Tools "Hits List" show all of the notifications?

Regards
~ Ryan

 

[cPDavidL]

Hello Ryan,

Ruleset publishers will have contact instructions for issues with false positives.

OWASP ModSecurity Core Rule Set | OWASP Foundation

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

owasp.org

Comodo Help

For Imunify360 rules, contact Imunify360 support

There should not be a situation in which the hits are not listed in the UI. Please use the link in my signature to open a ticket with our staff, so we can investigate that condition further.

 

[RyanR]

Hi,

Did you check your link regarding Comodo? It's for their standalone WAF, not the integrated rulesets within WHM/cPanel. I can't find a report location online without posting to their forums and I would rather not post the contents publically
Thanks

 

[cPRex]

@RyanR - could you make a ticket with our team so we can check that?

 

[RyanR]

@RyanR - could you make a ticket with our team so we can check that?

Hi Rex,

I did submit a ticket and I'm still trying to recreate it because I can't get it to happen again -_-

 

[cPRex]

Just like when you take a car to the mechanic...............

If you could post the ticket number here I can follow along and make sure this thread stays updated.

 

[RyanR]

Just like when you take a car to the mechanic...............

If you could post the ticket number here I can follow along and make sure this thread stays updated.

1. Ticket ID: 94321305

2. Did You/David have a link/resource for submitting to Comodo? I still haven't found one.

3. As for the ModSecurity log issue, it was happening to nearly every single 403 false positive and I was having to search the logs with grep until I found ModSecurity ModSecurity had it's own log reader... I wonder if one of the updates since has fixed it for me.

 

[cPRex]

Thanks for providing that ticket number - I'm following along there in case that has any more updates in the future.

I'm not seeing a specific point of contact for a ModSec issue on their end when I looked just now. However, they do have a thread here that they are actively monitoring that has been open for several years:

False-Positive report thread - Free Modsecurity rules - Comodo Web Application Firewall | Page 20

Please, specify these following fields when you submit False-Positive. 1. False-Positive RuleId 2. Web application + version 3. Request headers or at

forums.comodo.com

An update fixing this is always a possibility I suppose!