Please make sure you are running the latest WAF rules, there is a bug in the antispam rules that will generate False Positives. To update your rules, just run this command as root:

asl -u

The specific false positive is rule #300186, so if for some reason you can not update your rules than disable this rule. We recommend you update your rules.

Thanks Mike - reported as FP earlier, but to keep clients working I disabled the rule, is there a command/location to view which rules have been disabled? I noticed there are several asl commands now (-er/dr - Re-enable/Disable modsec rule by signature ID), but not one to view all disabled rules...

Great question, for now you'll have to look at these files:



Those are any globally disabled rules.



Those are any disabled rules for specific vhosts.

In the future this will all be visible in the GUI and we're planning big changes in the way the rules are managed and displayed too, including classes (which have overlapping rules, so you could disable all PHP rules, or just PHP-SQL rules, etc.) We're going to roll classes out where it makes the most sense for things like the spam rules, so you can say "disabled all gambling rules for this vhost". In the longer term we'd like to expose spam rules to domain owners, but thats a big lift and change in the auth model so theres no timeline yet on that feature. Its something we have to think very carefully about as we dont want a domain owner to be able to disable rules that protect the server, and then open your box up to full compromise.

Thanks Mike, that's really useful to know. When an ID is manually removed from /etc/asl/(vhost_)disabled_signatures does anything need to be run (e.g. asl -u)?
Have removed 300186 but another ID is still there (yeah, I remember doing this once before), have no idea what it relates to... Would be useful to add comments when disabling rules or even to have a way of looking up a rule by ID (just blue-sky-thinking, not feature-requesting).

You don't want to edit files like /etc/asl/disabled_signatures manually. Instead run the command to enable the rule again (asl -er <number>).

Ah yeah! makes complete sense.
Add reference back to file, ran asl -er 300186, it worked fine with some expected output.
Thanks breun