Thread: mod_security
View Single Post
  #11  
Old 02-03-2011, 11:01 AM
mikegotroot mikegotroot is offline
New Member
  
Join Date: Feb 2011
Posts: 7
Quote:
Are you talking about "chain" and "skip" actions? those actions are supported currently.
There are litespeed users loading getroot or some other modsec rule sets. rules using regular express matching do work. It does not break LiteSpeed.
Thank you for the reply. No, I'm talking about the ability to actually creating branching logic using SecAction, Secskip, SecMarker and other methods. Example:

SecRule REQUEST_METHOD "@pm trace track connect post" \
"phase:1,t:none,t:lowercase,pass,nolog,skip:1"
SecAction phase:1,t:none,pass,nolog,skipAfter:END_FOO

SecRule REQUEST_METHOD "trac(?:e|k)" \ "phase:1,t:none,t:lowercase,id:340002,rev:2,severi ty:2,msg:'Atomicorp.com WAF Rules: TRACE/TRACK method denied'"

# Rule 340361: deny CONNECT method
SecRule REQUEST_METHOD "connect" \ "t:none,t:lowercase,capture,phase:1,t:lowercase,id :340361,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: CONNECT method denied',logdata:'%{TX.0}'"

SecMarker END_FOO

Do you support that? And what about the transforms in 2.5.13, like escapeSeqDecode, removecomments, and others. I could go on, but you get the point. I couldnt find any documentation on your WAF module, if you could point me to it then I would know what you do support, and what 2.5.x logic won't work with your WAF module. As it stands right now, I get several reports a week that the current gotroot and OWASP rules don't work with your implementation. If you dont support all the features in 2.5.13, then that makes sense. Could you please tell me what features you do support?

Quote:
There are litespeed users loading getroot or some other modsec rule sets. rules using regular express matching do work. It does not break LiteSpeed.
I'm a bit puzzled by this response. Do you support the whole rule language or not? It not, then rules won't work correctly (Modsecurity rules require a lot more than just regular expression matching). If your implementation is supposed to be a drop in replacement I'm glad to hear that, so can you confirm that you support the whole 2.5.13+ rule language? And if not, what do you support?
Reply With Quote