mod_security RESPONSE_BODY

[yolte]

Hello,

I have a problem about mod_security RESPONSE_BODY rules;

Some mod_sec 2.x rules not working, for examlpe i have a rule set for blocking r57,c99 etc php shells;

Quote:

SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(??:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.:?:news remote php shell injection::\.| rhtools\b)|ph(?(??: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(???: microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
"phase:4,t:none,ctl:auditLogParts=+E,deny,log,audi tlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"

This rule is working when i switched the apache, but on LS it is not working.

This rule have to return 404 error when someone run r57 shell script.

Can you help to improve security by using SecRule RESPONSE_BODY ?

[mistwang]

Currently scanning response body is not supported by LiteSpeed yet.
A rule like that will severely slow down the server when scan a large response body.
So, we will think about it carefully.

[yolte]

Hello,

Maybe it will slow down server. But security is more important for us.

You can enable RESPONSE_BODY those who want to use security?

We are looking for to use LiteSpeed instead of Apache in our 20 linux servers. But our security department doesn't approve because of mod_security respone rules.

[yolte]

Hello mistwang,

It will be any progress on this issue?

[IrPr]

George is right, it will slow down server as hell
but i think special trick for example scanning specified response mime types (plain text) or requested file types (php) would solve performances issue and increases security as well

is it possible?

[yolte]

Yes it will slow down but this is our choice. Am i wrong?

[muiruri]

For some reason customers with joomla sites when they try to log on to their joomla administrator section/control panel...

http://customer-domain.com/administrator/

get following error;

---

406 Not Acceptable
This request is not acceptable

---

Found this is related to mod_security therefore when I add following lines in .htaccess for this specific domain.

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

All works fine.

My questions are;

(a) Is there a place in LSWS 4.0.2 menu options to turn mod_sec off for specific host or domain? Or any better ideas to deal with this one pl'se ?

(b) On this server last thing we did was to upgrading openSSL to latest verion 0.9.8k, and starting getting this problem.