A list of tested mod_security rulesets

Monarobase

Well-Known Member
#1
Hello,

You say that the latest version of litespeed has improved compatibility with gotroot rule set.

When people ask what rules are compatible you say please inform us if you find any compatibility issues. I do not want to beta test for compatibiliy issues, I presume as you increased the compatibilty you tested a ruleset, could you please tell us exactly which one so we can run the tested ruleset.

You also say that you do your best to keep up with mod_security compatibility.

Would it be possible with each release of litespeed that improves mod_security compatibility to inform us what date of rulesets you tested ?

Is litespeed compatible with got_root's mod security 2.7 rules ? (IE ASL 3.2.x)

I think we would all like to have a litespeed tested ruleset with any rules that aren't compatible removed.

From what I have read, Atomicorp would also like to have a documentation of what is compatible and what is not. They might even produce a litespeed compatible ruleset if you would give them the information they need to do it.

I've given up with their T-WAF because there were too many issues and it doesn't make sense to run Apache in front of Litespeed.

You are working hard on making ASL compatible with the gotroot ruleset, could you please publish your internal compatibiliy test results as well as the rules that you tested ?

Thanks
 
#3
Hello,

I would also be interested in getting some concrete information on what actually works.

We tried atomic ruleset on cPanel + Litespeed but came across so many errors on that.
 

NiteWave

Administrator
#7
we support the paid version -- many our users are now running it and working fine, although not good as apache, as stated in previous post. and we've been working on it to support any new rules after reviewing/investiagting them.
 

stormy

Well-Known Member
#8
That's good to know.

So - how should I use the paid rules then? They insist that you need either a WAF or their ASL product, and they won't support any other configuration.

Can you add some documentation on how to install their rules and keep them upgraded?

I hope progress is made towards full compatibility soon :)
 

NiteWave

Administrator
#9
They insist that you need either a WAF or their ASL product, and they won't support any other configuration.
https://www.atomicorp.com/wiki/index.php/ASL_WAF
maybe refer
1) Embedded mode
2) Transparent/Proxy mode (T-WAF)

then it's 1) Embedded mode

you can set up apache first, install the mod_security module, make sure gotroot rules works. in the end, install litespeed. it'll read and parse the apache's httpd.conf including mod_security rules.
 

stormy

Well-Known Member
#10
For reference, this is their official stance:
https://www.atomicorp.com/wiki/index.php/Litespeed

Here's some select quotes (bold is mine):

The rules are not supported with Litespeed, but some of them may work. This not a limitation in our rules, this is a limitation in Litespeed.

(...)

The Litespeed module is not a drop in compatible replacement for modsecurity, it is not feature complete, it does not work like modsecurity and it only supports as subset of the rule language that all modsecurity rules depend on.

(...)

Litespeed will silently ignore rules and rule language it does not understand, so mod_security rules will appear to work with Litespeed. So unlike the real modsecurity, you wont even get an error if something doesnt work right.

(...)

We've done extensive testing with Litespeed, and Litespeed doesnt support the complete rule language and it silently ignores rules and options it doesnt understand. That means that only some of the rules may be working. And of those, they may not even be working correctly, which means more false positives for you, and it also means the rules that are working may be missing attacks (because they require modsecurity features Litespeed doesnt support), plus all the rules that aren't working you'll never know about and none of those attacks will be stopped.
That doesn't inspire a whole lot of confidence :)

It seems that the Litespeed team and the Atomicorp team are at odds somehow. It would be great for everyone involved if you could find a way to work together and bring full mod_security support to Litespeed.
 
Last edited:

Michael

Well-Known Member
Staff member
#11
Hi Stormy,

There are definitely things we would like to improve about our ModSecurity support. This has become a main focus for us and will continue to be in the near future
 

stormy

Well-Known Member
#12
Hi Stormy,

There are definitely things we would like to improve about our ModSecurity support. This has become a main focus for us and will continue to be in the near future
It's good to hear that, especially now that the free rules have been discontinued. Thanks!
 

stormy

Well-Known Member
#14
Michael, that is fantastic news! I'm already an Atomicorp rules user, and it's great that rule support keeps improving. I'm still looking for a way to block brute force attacks against Wordpress and Joomla, but it seems it can't be done without ASF.
 
#15
one user told us(on Feb.26) following rules works well:
Code:
<LocationMatch /wp-login.php>
# only match posts
SecRule REQUEST_METHOD "(^POST$)" "chain,id:'1303701',rev:'1',phase:1,deny,status:403,msg:'Too many requests'"
#set ip pagecount and expiry of 30 s
SecAction "nolog,noauditlog,initcol:IP=%{REMOTE_ADDR},setvar:IP.pagecount=+1,expirevar:IP.pagecount=300,chain,t:none"
#pass if pagecount > 5
SecRule IP:PAGECOUNT "@gt 5" ""
</LocationMatch>
FYI
 

bettinz

Well-Known Member
#16
I'm using comodo rules since they started, and it works great.
They have different rules for apache and litespeed, and a plugin for cpanel..for free :)
waf.comodo.com
 

wanah

Well-Known Member
#17
I'm very interested by comodo's ruleset, haven't actually tried them yet as some people had issues with the first versions.

https://forums.comodo.com/free-mods...b-application-firewall-b223.0/-t102938.0.html

Very nice that comodo should actually try and make their product compatible with litespeed instead of atomi's approach to say litespeed must try and keep up with them.

I tried the paid version of atomicorp's ruleset and while they fixed issues very quickly when they were reported, there were so many issues and such a high ressource usage that we abandonned them all together. We even tried their T-WAF but it would crash sometimes without warning and without restarting.

I believe litespeed should start looking at other solutions, now there is nolonger a free ruleset, Comodo's ruleset seems like a very good alternative.
 

stormy

Well-Known Member
#18
Thanks for all the info! I will be considering Comodo as well, when my Atomicorp subscription runs out.

Any ideas to protect Joomla against brute force attacks? All the rules I have found use output analysis, which is not available.
 

Michael

Well-Known Member
Staff member
#19
I'm very interested by comodo's ruleset, haven't actually tried them yet as some people had issues with the first versions.

https://forums.comodo.com/free-mods...b-application-firewall-b223.0/-t102938.0.html

Very nice that comodo should actually try and make their product compatible with litespeed instead of atomi's approach to say litespeed must try and keep up with them.

I tried the paid version of atomicorp's ruleset and while they fixed issues very quickly when they were reported, there were so many issues and such a high ressource usage that we abandonned them all together. We even tried their T-WAF but it would crash sometimes without warning and without restarting.

I believe litespeed should start looking at other solutions, now there is nolonger a free ruleset, Comodo's ruleset seems like a very good alternative.
Howdy @wanah ,

We will continue to work with both companies and whoever else wants to lend their expertise to the cause.

I would just like to make clear that Atomicorp has put serious hard work into figuring out what parts of their ModSecurity rules LSWS will not work with (and making that clear to their users). In the same vein, we are thankful to Comodo for choosing to expend the effort required to maintain a separate ruleset. At the moment, I believe there can be no objective determinations as to which ruleset provides better security, but it is not like one company is working harder than the other.

This process is still in its childhood and the most important step in this process is the next one: Working with these companies to isolate which areas of LSWS need improvement and improving said areas. Atomicorp has been very helpful so far with their advice and collaboration.

m
 

bettinz

Well-Known Member
#20
one user told us(on Feb.26) following rules works well:
Code:
<LocationMatch /wp-login.php>
# only match posts
SecRule REQUEST_METHOD "(^POST$)" "chain,id:'1303701',rev:'1',phase:1,deny,status:403,msg:'Too many requests'"
#set ip pagecount and expiry of 30 s
SecAction "nolog,noauditlog,initcol:IP=%{REMOTE_ADDR},setvar:IP.pagecount=+1,expirevar:IP.pagecount=300,chain,t:none"
#pass if pagecount > 5
SecRule IP:PAGECOUNT "@gt 5" ""
</LocationMatch>
FYI
I've found a problem with this code (and with Location or Location Match); this problem is not happening with Apache, but only with Litespeed.
If my wordpress site is www.test.com, after x failed login i'm blocked -> OK.
If my wordpress site is www.test.com/wp (or any subdirectory) the rule doesn't work, and I can try unlimited time without blocks.

Can you check this thing for 4.2.8? Thanks :)
 
Top