Hi @sguk
Please send this file to “samples [at] wordfence [dot] com”, our team would like to take a look at this file, mention all the details you can in this email.
Thanks.
Thread Starter
sguk
(@sguk)
Emailed.
Note
I used incorrect wording in the post above, I am new to OWASP so I did not realise when posting that when rule 949 is turned off, it does not block, I found out later from the creator of OWASP.
I should have said
Modsecurity – picked up on injection attack / script file upload etc and showed a warning.
Hi @sguk,
Just catching up on unresolved threads here. Reading your initial post it looks like Modsec may have blocked something that Wordfence subsequently did not block? If something is blocked by Modsec it will never reach Wordfence, because it would already have been blocked. Do you think that is what happened?
Thread Starter
sguk
(@sguk)
Mod Security is not blocking the attacks, it’s a warning. The block rule is turned off as it causes too many issues with WordPress editor.
If 949 is off, it’s just a warning, so on this basis, Wordfence would see it.
From cpanel knowledgebase
REQUEST-949-BLOCKING-EVALUATION
The configuration file path:
modsec_vendor_configs/OWASP/rules/REQUEST-949-BLOCKING-EVALUATION.conf
The rules in this configuration file blocks traffic that various other configuration files request.
Warning:
Other rules in the rule set depend on this configuration file to block incoming attacks. If you disable this configuration file, other rules will detect, but not block, incoming attacks.
I haven’t looked any further into this myself as we re too busy on other work, it may not be as we thought, just something we thought we noticed.
Hi @sguk!
Okay thanks for elaborating. I’ll forward this information to the team in case it’s something we need to have a closer look at!
