ModSec Rules - Update

Version vom 1. Juni 2017, 13:50 Uhr

Changelog

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/rules-updates-changelog-t101377.30.html

Used version in prod: 1.123 (09.05.2017/DNA)

Download

Download from https://waf.comodo.com/user/cwaf_revisions on your workstation credentials:

jezejisy-8475@yopmail.com:testor1234

Copy downloaded files to bkp001

Prepare Rules

This all is to be done on bkp001

1. Go to a temporary (or your own) directory:

mkdir cwaf_rules_<ver>
cd cwaf_rules_<ver>
tar xvzf ../tar xvzf ../cwaf_rules-<ver>.tgz

2. Comment out rules with mentioned IDs within those files:

01_Global_Generic.conf
210480
210481

02_Global_Agents.conf:
210830
210831

07_XSS_XSS.conf:
212660
212510
212540
212750
213020
212800

26_Apps_Joomla.conf:
220240

32_Apps_OtherApps.conf:
222131
242380

20_Outgoing_FilterInFrame.conf:
214530
214540

21_Outgoing_FiltersEnd.conf:
214940

16_Outgoing_FilterPHP.conf:
214420

29_Apps_WPPlugin.conf:
226680

28_Apps_WordPress.conf:
225030
225031
225110

2. Comment out rules with mentioned IDs within those files (Overworked version since 1.114):

01_Global_Generic.conf
210480
210481

12_HTTP_Protocol.conf
217250
217270

02_Global_Agents.conf
210831

20_Outgoing_FilterInFrame.conf
214530

24_SQL_SQLi.conf
218540
218550

26_Apps_Joomla.conf
220240
218550

28_Apps_WordPress.conf
225030
225031

32_Apps_OtherApps.conf
222131
242380
220795

08_Global_Other.conf
210580
215090

2. Comment out rules with mentioned IDs within those files (Overworked version since 1.123):

02_Global_Generic.conf
210480
210481
210681
210682
210685
210686
210687
210688
210691
210692
210693
210695
210696
210698
210760
210761
210762
210763
210765
210767
210771
210772
210773
210775
210776
210777
210778
210779

03_Global_Agents.conf
210831

21_Outgoing_FilterInFrame.conf
214530

26_Apps_Joomla.conf
220240

28_Apps_WordPress.conf
225030
225031

32_Apps_OtherApps.conf
222131
242380
220795

08_XSS_XSS.conf
212000

09_Global_Other.conf
210580
215090

Attention: Comment our whole Block sticking together, like this:

#<LocationMatch "/index\.php$">
#SecRule REQUEST_METHOD "@streq POST" \
#   "id:220240,chain,msg:'COMODO WAF: found CVE 2013-5576 attack',phase:2,deny,status:403,log"
#SecRule ARGS_GET:option "@streq com_media" \
#   "chain"
#SecRule ARGS_GET:task "@rx ^file\.upload$" \
#   "chain"
#SecRule ARGS_GET:tmpl "@streq component" \
#   "chain"
#SecRule FILES_NAMES "@rx ^Filedata\[\]$" \
#   "chain"
#SecRule MULTIPART_FILENAME "@rx \..+\.$"
#</LocationMatch>

or

#SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bbackground-image:" \
#   "id:212660,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack',phase:2,severity:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'htmlEntityDecode',t:'compressWhiteSpace',t:'lowercase'"

3. Change standard error code (because fail2ban watches for this status code for modsec action):

sed -i 's|status:403|status:510|g' *

Test

Test on one server (e.g. tux3) by

• backing up current rule fieles: cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I`
• coping the (modified) cwaf files to the server: scp * tux3:/usr/local/apache2/conf/mod_security2/cwaf-rules/
• test configuration with /usr/local/apache2/sbin/apache2ctl -t
• restarting apache web server with /etc/init.d/apache2 restart
• check default error log with tail -fF /var/log/httpd/error_log | grep -i modsec

Deploy

If all went fine, do the same using dscp and dssh:

dssh cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I`
dscp * []:/usr/local/apache2/conf/mod_security2/cwaf-rules/
dssh /etc/init.d/apache2 reload