False-positive WAF hits on legitimate actions, like uploading images, updating things via the admin dashboard, or just accessing it.
In order to identify what exact WAF rule is creating a problem it would be necessary to watch the console log via the "tail -f" command and simultaneously reproduce the problem in a browser:
tail -f /var/log/imunify360/console.log | grep YOUR.IP.ADDRESS.HERE
tail -f /var/log/imunify360/console.log | grep modsec
tail -f /var/log/imunify360/console.log | grep modsec | grep YOUR.IP.ADDRESS.HERE
When the problem happens, log entries with the ModSecurity or OSSEC rule in question will appear in /var/log/imunify360/console.log.
After that, the rule can be disabled for the domain in question via UI as per https://docs.imunify360.com/dashboard/#disabled-rules or via CLI, for example:
imunify360-agent rules disable --name somename --id 1234567 --plugin modsec --domains somedomain.com
Also, in case proceeding as advised above resolves the problem, and the software in use is commercial and not custom-coded, that would mean that there was a false-positive hit of the ModSecurity or OSSEC rule in question, and in such case, we'd appreciate sharing the corresponding error log entries with us so that we can have the WAF dev team improve that rule.
Please sign in to leave a comment.