COMODO WAF rules & Whitelist

[Jim]

I am trying to use the COMODO WAF rules on litespeed without a control panel. I have the rule enabled and in log only mode in order to test and I am seeing a lot of entries that appear as though they would block legitimate requests, which I would like to resolve before using it in production and in blocking mode.

Litespeed Enterprise version: 5.2.4
Comodo Rules version: 1.154

Here is a sample from the log with ip and domain removed:

--122cdea1-A--
[16/Mar/2018:08:14:47 -0700] 443
--122cdea1-B--
content-length: 293
accept: application/json, text/javascript, */*; q=0.01
x-requested-with: XMLHttpRequest
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
content-type: application/x-www-form-urlencoded; charset=UTF-8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
alexatoolbar-alx_ns_ph: AlexaToolbar/alx-4.0.1
rankboostupplugin: v1.20

--122cdea1-F--

--122cdea1-H--
Message: Detected 200 (phase 1). Test 'TX:0' against '!@pmFromFile userdata_wl_content_type' is true. [file "/usr/local/lsws/conf/comodo_litespeed/11_HTTP_HTTP.conf"] [line "21"] [id "210710"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type."] [logdata "application/x-www-form-urlencoded=application/x-www-form-urlencoded"] [severity "CRITICAL"] [MatchedString "application/x-www-form-urlencoded"]

--122cdea1-Z--

The access log contains entries similar to this:

ModSecurity: Access denied with code -, [Rule: 'TX:0' '!@pmFromFile userdata_wl_content_type'] [id "210710"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type."] [logdata "application/x-www-form-urlencoded=application/x-www-form-urlencoded"]

I have confirmed that the userdata_wl_content_type file exists in the rules folder, has the correct permissions and it does contain a line for x-www-form-urlencoded.

Any help would be appreciated. Thanks!

 

[mistwang]

maybe the parent folder's permission prevent server from reading that file. make sure nobody user can read it.
/usr/local/lsws/conf/ has strict permission, nobody may not able to read file under it.
you can move the rule set to /usr/local/lsws/modsec/

 

[Jim]

Thanks for the suggestions. Unfortunately, it didn't seem to help. I moved the rules and set the permissions on /usr/local/lsws/modsec for nobody:nobody. I'm still seeing the issue with the whitelist being ignored. I setup the comodo rules using the instructions here: https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:waf:standalone

The rules are working, just not the whitelist. Any other suggestions or options would be greatly appreciated. Thanks!

 

[mistwang]

Is the web server worker process running as nobody?
Please check if nobody can read the whitelist file with command
sudo -u nobody cat /<path_to_whitelist_file>
.

 

[Jim]

Thanks for the quick followup. The server is running as nobody and the file is accessible to nobody

nobody   27892 28.3  0.5 381072 167616 ?       Sl   10:17  15:09 litespeed (lshttpd)

# sudo -u nobody cat /usr/local/lsws/modsec/userdata_wl_content_type
application/x-www-form-urlencoded
multipart/form-data
text/xml
application/xml
application/x-amf
application/json
application/octet-stream
multipart/mixed

 

[mistwang]

Looks like a bug with LSWS, which version are you using?
Maybe it is due to the relative path not being resolved correctly in the native litespeed setup.
can you show us your modsecurity configuration, in the httpd_config.xml?
We will try to reproduce it.

 

[mistwang]

have test it locally, it looks fine. can you try testing it with curl see if the rule got hit?

curl -i -H "content-type: application/x-www-form-urlencoded; charset=UTF-8" -d "test=postdata" http://<a_url_to_your_site_php_script>

 

[Jim]

Hi,

Thanks for following up. We're using LiteSpeed Web Server Enterprise 5.2.4. The server was installed by our host and then I made additional configurations through the litespeed web admin console. I have WAF enabled only on one virtual host and not the server, because we don't want it to impact other virtual host traffic.

I tested and had the same result with the whitelist being ignored. Here is the log entry:

--00d9a4b5-A--
[30/Mar/2018:14:14:15 -0700]
--00d9a4b5-B--
POST  HTTP/1.1
User-Agent: curl/7.29.0
Host:
Accept: */*
content-type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 13

--00d9a4b5-F--

--00d9a4b5-H--
Message: Detected 200 (phase 1). Test 'TX:0' against '!@pmFromFile userdata_wl_content_type' is true. [file "/usr/local/lsws/modsec/11_HTTP_HTTP.conf"] [line "21"] [id "210710"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type."] [logdata "application/x-www-form-urlencoded=application/x-www-form-urlencoded"] [severity "CRITICAL"] [MatchedString "application/x-www-form-urlencoded"]

--00d9a4b5-Z--

Here is the virtual host security config from the xml file:

  <security>
    <censorshipControl>
      <enableCensorship>1</enableCensorship>
      <logLevel>9</logLevel>
      <defaultAction>log</defaultAction>
      <scanPOST>0</scanPOST>
    </censorshipControl>
    <censorshipRuleSet>
      <name>Comodo Litespeed</name>
      <enabled>1</enabled>
      <ruleSet>Include $SERVER_ROOT/modsec/rules.conf</ruleSet>
    </censorshipRuleSet>
    <realmList>
      <realm>
        <type>file</type>
        <name>ADMINISTRATION</name>
        <userDB>
          <location>$VH_ROOT/.htpasswd</location>
          <maxCacheSize>0</maxCacheSize>
          <cacheTimeout>0</cacheTimeout>
        </userDB>
      </realm>
    </realmList>
  </security>

 

[mistwang]

I could not reproduce it with the same configuration.
Is there any symbolic link involves with any related file path?
what is the content of rules.conf? I just copied rules.conf.main.
Maybe you should update LSWS to 5.2.6.

 

[Jim]

Hi,

I just updated lightspeed and the comodo rules. The versions are:

LiteSpeed Web Server Enterprise 5.2.6
Comodo Rules 1.159

I just copied the rules.conf.mail to rules.conf

i'm still seeing the issue. There are no symbolic links in the path of the server configuration files.

Are there any steps needed to get the whitelist to work? I'm wondering if I missed something in implementing this up. I new to both litespeed and modsecurity, so I'm lost as to why this isn't working. Thanks again for your help in trying to figure it out.

 

[Pong]

You can log a ticket with us by providing tmp root ssh access to your server for us to take a look.
Please also provide the detailed steps to reproduce the issue in the tickets.