modsecurity rule blocking my site from saving

[rhett]

My site is a woocommerce store built with Bricks Builder page builder.
DirectAdmin panel + litespeed web server, running on unmanaged VPS.

I found in modsecurity log below rule set blocking:
Blocking saving in Bricks settings:
932235
941110
941100
941160
941180
Blocking entering editor canvas and causing redirect to /my-account/page
933150
Blocking saving in editor canvas
932230

How to bypass the security for administrator's operation without disabling those rules completely, please?

I attached 4 ruleIDs blocking log in the attached link. Please have a look.

 

[Ohm J]

---

Do you meant... bypass those rules only for some user or domain ?

User Level -> Modsecurity should have the bypass rules ID interface.

 

[rhett]

Do you mean the user -> advanced features -> modsecurity -> disable rules?
To disable rule IDs in this way, those rules will not work when real risk/attach happens, right?
In this case, I wonder if it is possible to create a rule to bypass request based on url "/wp-admin/admin-ajax.php" and cookies "wp-settings-1" and "^wordpress_logged_in_"?

 

[Ohm J]

I don't kno how to filter base request on cookies, but if it request url, then you should put custom rules ( I don't know where to put it. )


If it comodo rules, it should have UI interface for put the custom rules set.

SecRule REQUEST_FILENAME "@beginsWith /wp-admin/" \
     "id:1001,\
     phase:2,\
     pass,\
     nolog,\
     ctl:ruleRemoveById=911100,\
     ctl:ruleRemoveById=932260,\
     ctl:ruleRemoveById=920340,\
     ctl:ruleRemoveById=932235,\
     ctl:ruleRemoveById=941100,\
     ctl:ruleRemoveById=941130,\
     ctl:ruleRemoveById=941160,\
     ctl:ruleRemoveById=941170,\
     ctl:ruleRemoveById=949110,\
     ctl:ruleRemoveById=980130"

Please adjust the remove id by yourself.
#note: this example rules will be global for all domain.

 

[rhett]

Thanks.
According to DA's tutorial: https://docs.directadmin.com/webservices/apache/modsecurity.html#as-the-user
I pasted it to this file: /usr/local/directadmin/data/users/admin/domains/antzracing.com.modsecurity_rules

But it doesn't take effect. Not sure which file is for custom rule

 

[IXPLANET]

Do you mean the user -> advanced features -> modsecurity -> disable rules?
To disable rule IDs in this way, those rules will not work when real risk/attach happens, right?
In this case, I wonder if it is possible to create a rule to bypass request based on url "/wp-admin/admin-ajax.php" and cookies "wp-settings-1" and "^wordpress_logged_in_"?

Try :
SecRule REQUEST_HEADERS:cookie "^.*wp-settings-1.*$" "id:123094610,phase:1,t:none,pass,log,ctl:ruleRemoveById=911100"

For request based on url just change
SecRule REQUEST_URI "/wp-admin/admin-ajax.php" "id:123091620,phase:1,t:none,pass,log,ctl:ruleRemoveById=911100"

do it for other rules , modify as you need

put that rules before this rules id

932235
941110
941100
941160
941180

 

[rhett]

Thanks for the help.

I've just solved the issue with the help from imunify360. They told me there are 2 rulesets in my system, which will cause high false positive rate and inconsistent rule functioning. The blocking rulesets belong to OWASP, so I've disabled OWASP in custombuild -> options.

 

[IXPLANET]

Thanks for the help.

I've just solved the issue with the help from imunify360. They told me there are 2 rulesets in my system, which will cause high false positive rate and inconsistent rule functioning. The blocking rulesets belong to OWASP, so I've disabled OWASP in custombuild -> options.

Your welcome , yes i think enough to use ImunifyWaf rules only and disabled OWASP rules if to many false positive.