LiteSpeed Support Forums - mod_security RESPONSE

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)

- LSWS 4.1 Release (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=26)

- - mod_security RESPONSE_BODY (http://www.litespeedtech.com/support/forum/showthread.php?t=2735)

mod_security RESPONSE_BODY

Hello,

I have a problem about mod_security RESPONSE_BODY rules;

Some mod_sec 2.x rules not working, for examlpe i have a rule set for blocking r57,c99 etc php shells;

Quote:

SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?: microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
"phase:4,t:none,ctl:auditLogParts=+E,deny,log,audi tlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"

This rule is working when i switched the apache, but on LS it is not working.

This rule have to return 404 error when someone run r57 shell script.

Can you help to improve security by using SecRule RESPONSE_BODY ?

Currently scanning response body is not supported by LiteSpeed yet.
A rule like that will severely slow down the server when scan a large response body.
So, we will think about it carefully.

Hello,

Maybe it will slow down server. But security is more important for us.

You can enable RESPONSE_BODY those who want to use security?

We are looking for to use LiteSpeed instead of Apache in our 20 linux servers. But our security department doesn't approve because of mod_security respone rules.

Hello mistwang,

It will be any progress on this issue?

George is right, it will slow down server as hell
but i think special trick for example scanning specified response mime types (plain text) or requested file types (php) would solve performances issue and increases security as well

is it possible?

Yes it will slow down but this is our choice. Am i wrong? :)

It is a low priority feature.

Quote:

Originally Posted by mistwang (Post 14239)

It is a low priority feature.

Security is low priority feature?

Each server can be hacked which is not support this feature. How can it be ignored?

Lets test it?

Quote:

Originally Posted by yolte (Post 14262)

Security is low priority feature?

Each server can be hacked which is not support this feature. How can it be ignored?

Lets test it?

I'd say more like a site can be hacked because they do not keep up to date versions of their software or make secure software. For hacking an entire server it be even more tricky assuming the site was on it's own account.

There are other mod_security rules which are already supported which can inflate memory (ones that use location match). I'd rather see the rules that are supported not slow down LSWS to Apache levels.

Quote:

Originally Posted by Tony (Post 14265)

I think we have to protect customers web sites who doesn't have enough information about script security?

Quote:

There are other mod_security rules which are already supported which can inflate memory (ones that use location match). I'd rather see the rules that are supported not slow down LSWS to Apache levels.

Can you give me examples which rules are protecting from php shells? (for ex: r57, c99)