Support

QuantumNet · #41 04-28-2012, 03:04 PM

Quote:

Originally Posted by mistwang

got it. support for SecMarker and skipAfter action is required, should be easy to implement. We do assume rule ID is numeric though, all examples given in modsec document are integers.

We are adding more features for our 4.1 release to improve the compatibility with modsec 2.5, however, there is some feature we wont consider to support right now:

1. xml related.
2. pdf related.
3. lua script (we are investigating, may add, but low priority)
4. geo lookup (duplicate with mod_geoip, can use env added by mod_geoip)
5. inspecting response body (still evaluating)
6. executing external script

We do not plan to implement features mainly because, some features may rely on third party libraries, and the license of that library may not allow us to incorporate into our product; some features may severely slow down the non-blocking, single-thread process, especially, when large amount of data need to be processed, it is fatal. We have seen even PCRE hanging lshttpd process with 100% cpu.

Hope it will make it a little bit clearer with our mod_sec support.
BTW: we will publish a document regarding what feature is supported, what is not, after our 4.1 release settled.

You dont even support the basic rule sets for it much less any of the advanced ones you mentioned not supporting.

We cannot even use the basic config

NiteWave · #42 04-28-2012, 10:43 PM

regarding mod_security compatibility, please refer the wiki page:
http://www.litespeedtech.com/support..._compatibility

can you specify which basic rule sets not support ?

QuantumNet · #43 04-29-2012, 10:57 AM

You state in the post I quoted that you dont support

Quote:

1. xml related.
2. pdf related.
3. lua script (we are investigating, may add, but low priority)
4. geo lookup (duplicate with mod_geoip, can use env added by mod_geoip)
5. inspecting response body (still evaluating)
6. executing external script

the wiki states that

Quote:

Not Yet Support Features

scan response header/body.(Note: request header/body are supported)
scan attached files content in multi-part upload
PDF functions
lua
parsing XML

But yet you dont support even the basic core ruleset:
https://www.owasp.org/index.php/Cate...le_Set_Project

it doesnt matter if I disable lua xml or even all of the configuration files except say the basic one:

modsecurity_crs_40_generic_attacks.conf

or
modsecurity_crs_41_xss_attacks.conf

or

modsecurity_crs_41_sql_injection_attacks.conf

None of them work with litespeed even with a single simple ruleset used... much less the 20 rulesets that are part of the core ruleset

so to say you are compatible at all is a lie.

QuantumNet · #44 04-29-2012, 11:07 AM

We pay for litespeed as a product, it is not free it is not open source it is paid monthly and it is expensive, more expensive than any other component of web hosting except for the physical server itself.

We expect litespeed to take security seriously especially since it is a paid product. It is sad that there is better security support in the opensource apache which is free.

I understand supporting Atomic's rulesets are a chore... they are a damn chore to figure out just using apache which they were developed for.

But OWASP's modsecurity core ruleset is basic and simple and litespeed should make the effort to support at least their core ruleset.

I understand that litespeed is closed source which makes this a chore for you guys to maintain as stuff changes with the rulesets but either come up with a way for OWASP to be compatible or come up with your own rulesets

we pay a hefty price for your product and we deserve to have better support than this... this is what you are telling your customers in a nutshell:

"We support mod_security! .... but we are not going to tell you what rulesets will actually help protect your system and you can spend hours upon hours trying to make your own and testing which ones will actually work because we dont really support mod_security we just say we do."

That is not the kind of attitude a paid product should support... you should get your product up to snuff to support the basic open standard rulesets that are out there... or provide your customers with a list of rulesets that actually work to protect their systems.

QuantumNet · #45 04-29-2012, 11:11 AM

P.S. do some googling there is actually several hosting companies leaving litespeed because you give the impression that security is a joke and not to be taken seriously

QuantumNet · #46 05-25-2012, 02:51 AM

any update?

webizen · #47 05-25-2012, 12:13 PM

OWASP was not on our priority list. If there is more demand, we will consider it.

QuantumNet · #48 05-25-2012, 03:33 PM

You mean mod security is not on your priority list... Like I stated you fail to provide any list of any rules that actually work with litspeed... if none of the available rules anywhere on the internet work with Litespeed.. How cam you claim you support mod security because you dont.. Nor are you an apache drop in replacement.

Because unlike you security actually matters to us and your other customers.

And you wont even take the time to make sure we can defend against common web application attacks... So in turn what you are tellinf us is liteapped is a supporter of the hackinf world and they promote insecure systems.

You dont support mod security any of the rules so quit saying yo do it is false advertisement.

We have tried all the rules none work.so until you provide a set of rules that do work itbis safe to say you are liars about supporting mod security

QuantumNet · #49 05-25-2012, 03:35 PM

Sorry for the typos swype on my phone is being retarded

webizen · #50 05-25-2012, 04:24 PM

if you have any specific rules don't work for you, send to info@, we will evaluate and provide you with our decision and eta if we decide to put on to-do list.