Strange ModSecurity entries in Apache error log

Question

I recently migrated my VPS to Plesk Onyx v17 (running on Ubuntu 14.04) and, when checked the error logs this morning, I noticed multiple records like this one:

[Tue Apr 11 06:26:33.063983 2017] [:error] [pid 3306:tid 140450353870592] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity.d/rules/comodo/12_HTTP_Protocol.conf"] [line "139"] [id "217270"] [rev "2"] [msg "COMODO WAF: Request Containing Content, but Missing Content-Type header||www.example.com|F|2"] [data "REQUEST_HEADERS=0"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/"] [unique_id "WOyvWX8AAQEAAAzqQuAAAAAA"]*

Here XXX.XXX.XXX.XXX is the IP address of my VPS. I decided to investigate this error but, when I opened Comodo WAF rules file 12_HTTP_Protocol.conf, I noticed that there is actually no rule there with id "217270": after the rule 217261 the next one listed is 217280...?

Looks like I'm stuck here... Any thoughts/suggestions?

Some discussion of this [here](https://forums.cpanel.net/threads/217220-comodo-waf-request-missing-a-host-header.597615/) that might be helpful — Diogenes deLight, Apr 11 '17 at 18:02
Thank you @DiogenesdeLight! You link is helpful indeed, judging by the messages there, it looks like this problem is caused by last week's Comodo rules update. — Mike S, Apr 11 '17 at 22:52

score 0 · Answer 1 · answered Apr 12 '17 at 12:26

The problem has been resolved with the new Comodo rules update on April 10. This update removed problematic rules ##217220, 217250, and 217270. That is the reason I didn't see the rule with ID 217270 in the file (it was an updated one). Apparently, ModSecurity was still running the old rule set, I restarted the server now, so hopefully the problem is now resolved.

Strange ModSecurity entries in Apache error log

1 Answers1