do you recommend any waf rule for your server ?

tyuuu

Well-Known Member
Oct 16, 2005
81
0
156
Hi,

is Comodo WAF syill maintained well ? i make searching and it seems no maintained for long time ? because i hope a rule suit with less positive negative .
and Imunify360 can not only use waf feature.

thanks
 

ciao70

Well-Known Member
Nov 3, 2006
146
29
178
  • Like
Reactions: cPRex

tyuuu

Well-Known Member
Oct 16, 2005
81
0
156
Hi,

does OWASP ModSecurity Core Rule Set (CRS) have many positive negative for wordpress or other cms ?

thanks
 

ciao70

Well-Known Member
Nov 3, 2006
146
29
178
Hi,

You can try it so you see how it works. :)

You have the option in case of problems to exclude Worpress rules for example
 

ITHKBO

Active Member
Jun 23, 2020
28
31
13
Netherlands
cPanel Access Level
Root Administrator
Hi,

does OWASP ModSecurity Core Rule Set (CRS) have many positive negative for wordpress or other cms ?

thanks
We disable the following rules for Wordpress CMS because of numerous false positives
949110 General post update issues in conjunction with WP Bakery
941160 General post update issues in conjunction with WP Bakery
941100 General post update issues in conjunction with WP Bakery
980130 Issue with Duplicator backups causing invalid request when downloading files

We haven't had to disable any other for 500+ CMS clients in 6 or so years
Be sure to check however if you have any of these showing up as false positive on your end.
 
Last edited:

tyuuu

Well-Known Member
Oct 16, 2005
81
0
156
Hi,

i try to install OWASP and connect with ip,the log shows 920350,and i find alot connection with the log,is it normal ?

thanks
 

tyuuu

Well-Known Member
Oct 16, 2005
81
0
156
Hi,

it is "920350: Host header is a numeric IP address" with following


Request: GET /favicon.ico
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.


Request: GET /img-sys/powered_by_cpanel.svg
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.


Request: GET /img-sys/server_misconfigured.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.


Request: GET /img-sys/error-bg-left.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.


Request: GET /img-sys/server_moved.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.


Request: GET /img-sys/IP_changed.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.

Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.

Request: GET /favicon.ico
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.

Request: GET /
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.

Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.


Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.


Request: GET /
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.






thanks
 

ciao70

Well-Known Member
Nov 3, 2006
146
29
178
Hi,

It is the function of the rule 920350 that signals if you connect to the IP

SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
"id:920350,\
phase:2,\
block,\
t:none,\
msg:'Host header is a numeric IP address',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 

tyuuu

Well-Known Member
Oct 16, 2005
81
0
156
Hi,

i know whitelist/remove that rule will solve my personal issue,but i wonder if some important attack will not be blocked ?
 

ciao70

Well-Known Member
Nov 3, 2006
146
29
178
Ah OK.

We have a dedicated Server

If that's a problem for you in case you can disable that rule