# Cloudflare whmcs WAF rules vs Modsec typical whmcs rules



## Hxxx (Feb 2, 2014)

Cloudflare WHMCS WAF rules , which are OWASP based vs Modsec OWASP.

Would you have both? or just one of the two?


----------



## Kruno (Feb 3, 2014)

CloudFlare WAF had a lot of false positives last time I tested it out, which was around 2-3 months ago. They were blocking legal requests and broke BitPay and WebMoney payment modules.

Sure, that is fine. False positives happen. Everything would be ok if the were willing to fix the issues. Instead of fixing they just replied and suggested me to whitelist IPs. Yeah, I'm gonna predict all IPs that will pay using BTC or WMZ and whitelist them... non sense.


----------



## GIANT_CRAB (Feb 3, 2014)

I remember there's a comparison between Modsec, Cloudflare and some other WAF CDN.

Results was that mod_sec owns everything. Its really good.


----------



## jarland (Feb 3, 2014)

Sucuri WAF, the lazy man's mod_sec. Cloudflare WAF is terrible. I've had a joomla site running through it for two months and my logs are full of injection attempts that made it through, while apache would only serve the site for Cloudflare requests. Their response? Nothing really. Not one single bit of info about the things they supposedly combat and plenty of crap in the logs.


Sucuri is my new WAF of choice. Specific details for every single occurrence, very thorough in patching known exploits over the proxy. My joomla 1.5 that is hell to update is now secure. If they can do that, whmcs should be a breeze


----------



## Artie (Feb 3, 2014)

jarland said:


> Sucuri is my new WAF of choice. Specific details for every single occurrence, very thorough in patching known exploits over the proxy. My joomla 1.5 that is hell to update is now secure. If they can do that, whmcs should be a breeze


I fail to see any tech details what so ever on their sites. Not even how it the service works. Lots of talk and no details to back it up?


----------



## jarland (Feb 3, 2014)

Artie said:


> I fail to see any tech details what so ever on their sites. Not even how it the service works. Lots of talk and no details to back it up?


http://cloudproxy.sucuri.net/features


I'm not sure what more details you're expecting. Proxy web application firewall is fairly self explanatory. They proxy the site (like cloudflare) and block known exploits while providing you with a full detailed log of every occurrence. To get any more technical than that they'd have to give you all of their rules up front, which probably isn't the best business model 

Edit: Ah I see, must have used my signature link, their front page is kinda weird


----------

