mod_security

Discussion in 'General' started by markb1439, Jan 23, 2011.

  1. QuantumNet

    QuantumNet New Member


    You dont even support the basic rule sets for it much less any of the advanced ones you mentioned not supporting.

    We cannot even use the basic config
  2. NiteWave

    NiteWave Administrator

  3. QuantumNet

    QuantumNet New Member

    You state in the post I quoted that you dont support

    the wiki states that
    But yet you dont support even the basic core ruleset:
    https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

    it doesnt matter if I disable lua xml or even all of the configuration files except say the basic one:

    modsecurity_crs_40_generic_attacks.conf

    or
    modsecurity_crs_41_xss_attacks.conf

    or

    modsecurity_crs_41_sql_injection_attacks.conf


    None of them work with litespeed even with a single simple ruleset used... much less the 20 rulesets that are part of the core ruleset

    so to say you are compatible at all is a lie.
  4. QuantumNet

    QuantumNet New Member

    We pay for litespeed as a product, it is not free it is not open source it is paid monthly and it is expensive, more expensive than any other component of web hosting except for the physical server itself.

    We expect litespeed to take security seriously especially since it is a paid product. It is sad that there is better security support in the opensource apache which is free.

    I understand supporting Atomic's rulesets are a chore... they are a damn chore to figure out just using apache which they were developed for.

    But OWASP's modsecurity core ruleset is basic and simple and litespeed should make the effort to support at least their core ruleset.

    I understand that litespeed is closed source which makes this a chore for you guys to maintain as stuff changes with the rulesets but either come up with a way for OWASP to be compatible or come up with your own rulesets

    we pay a hefty price for your product and we deserve to have better support than this... this is what you are telling your customers in a nutshell:

    "We support mod_security! .... but we are not going to tell you what rulesets will actually help protect your system and you can spend hours upon hours trying to make your own and testing which ones will actually work because we dont really support mod_security we just say we do."


    That is not the kind of attitude a paid product should support... you should get your product up to snuff to support the basic open standard rulesets that are out there... or provide your customers with a list of rulesets that actually work to protect their systems.
  5. QuantumNet

    QuantumNet New Member

    P.S. do some googling there is actually several hosting companies leaving litespeed because you give the impression that security is a joke and not to be taken seriously
  6. QuantumNet

    QuantumNet New Member

    any update?
  7. webizen

    webizen New Member

    OWASP was not on our priority list. If there is more demand, we will consider it.
  8. QuantumNet

    QuantumNet New Member

    You mean mod security is not on your priority list... Like I stated you fail to provide any list of any rules that actually work with litspeed... if none of the available rules anywhere on the internet work with Litespeed.. How cam you claim you support mod security because you dont.. Nor are you an apache drop in replacement.

    Because unlike you security actually matters to us and your other customers.

    And you wont even take the time to make sure we can defend against common web application attacks... So in turn what you are tellinf us is liteapped is a supporter of the hackinf world and they promote insecure systems.

    You dont support mod security any of the rules so quit saying yo do it is false advertisement.

    We have tried all the rules none work.so until you provide a set of rules that do work itbis safe to say you are liars about supporting mod security
  9. QuantumNet

    QuantumNet New Member

    Sorry for the typos swype on my phone is being retarded
  10. webizen

    webizen New Member

    if you have any specific rules don't work for you, send to info@, we will evaluate and provide you with our decision and eta if we decide to put on to-do list.
  11. QuantumNet

    QuantumNet New Member

    webizen,

    why do I feel like I am talking in cirlces with you guys... read my posts above I showed you many rules which none of them work... I have tried every single ruleset available on the internet. None of them work.

    SO why dont you as a company support your product and actually show us a ruleset that does work? instead you keep avoiding the fact that you have never provided a ruleset to anyone of your customers which actually works.

    Why because they dont otherwise you would provide that list in your documentation ..

    it shouldnt be me sending you all 100,000 rules that are available to show you that none fo them work...

    it should be you showing your paying customers what rules actually work.

    None of the OWASP rules work... none!

    Maybe just maybe a small amount of atomics rules work, but I have yet to figure out which ones... but the list of supported atomic rules is so small that you might as well not use it at all cause those couple rules out of 1000's that dont work is going to provide much protection at all.


    So why dont you show your customers what rules actually do work and what you do support because it is BS that you believe that your PAYING customers each by themselves should spend hundreds of hours writing out their own rulesets (if they have that knowledge) and testing through trial and error if those ruleset will even work.

    And then once they get just a handful of rules that do work... the time was a waste because their limitations didnt allow them to load a ruleset that actually protects the system from any significant amount of attacks.

    Search your own damn forums there is literally 100's of customers who ask you to fix the mod security compatiblity but yet you say things like "its low priority if there is more demand for it we might do it.


    Why dont you remove mod security support and just tell people you dont support it, or get off your butts and provide a ruleset that will actually help protect systems from more than just a handful of attacks.



    I asked you to support OWASP ruleset because it is very basic core ruleset and would be easy for you guys to make work, easier than atomic's ruleset would be but you guys dont want to support any rulesets or provide any rulesets so

    Yes it is confirmed you dont support mod security...
  12. QuantumNet

    QuantumNet New Member

    Some other threads of people wondering why the rulesets dont work: some gone un-answered its like you guys are avoiding mod security like the plague

    http://www.litespeedtech.com/support/forum/showthread.php?t=5203

    http://www.litespeedtech.com/support/forum/showthread.php?t=2697

    http://www.litespeedtech.com/support/forum/showthread.php?t=4727


    THird party forum:
    https://www.atomicorp.com/forums/viewtopic.php?f=14&t=4222

    Quoted from that link:

    Even the first through 3rd page of this thread is full of people who cant get any rule sets to work:

    http://www.litespeedtech.com/support/forum/showthread.php?t=4619


    It is funny here is a quote you guys wrote on your blog:
    http://blog.litespeedtech.com/tag/LiteSpeed/
    hmm weird I am an enterprise customer doesn't seem like I am being listened to. Heck its even hard to get you guys to respond which is why I am getting so frustrated.

    All your customers want to see, is here we support these rulesets upload them to your server and restart litespeed....

    Please provide rulesets or add support for OWASP if you dont want to maintain the rules.
  13. DanEZPZ

    DanEZPZ Member

    I echo pretty much everything QuantumNet has said.

    I've tried various rules using different methods and nothing appears to be working.

    Why can't you guys just post a few examples of rules that you know to work to save everyone a lot of headache and trial and error?
  14. Corey

    Corey New Member

    4.1.13 says "Improved compatibility of Apache mod_security."

    Any further information on that? Searching the forums for mod_security is a bit disheartening as it seems the staff are avoiding the topic all together.
  15. ElliotP

    ElliotP New Member

    Has there been any further update to this? Does anyone know if the gotroot or mod_security rules in general are any better supported? There has been a string of Litespeed releases now which claims to have improved mod_Security support.
  16. mistwang

    mistwang LiteSpeed Staff

    mod_security has been constantly adding new features as well as gotroot rulesets being updated, so do we to keep up with it.
    The latest 4.2.1 build should work well with gotroot ruleset.
  17. wemnael

    wemnael New Member

    Hi,

    I tried to add the following mod_security lines to my rules but don't work with Litespeed (it's from CXS). If I switch to Apache CXS is detecting infected files, but with Litespeed it didn't work. Could you please manage to get working ?:
    SecRequestBodyAccess On
    SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
    "log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
    SecTmpDir /tmp
  18. webizen

    webizen New Member

  19. NiteWave

    NiteWave Administrator

  20. XN-Matt

    XN-Matt Member

    I'm not so sure. Tried it with 4.2.1.

    No matter what you tried to load, everything gave a 406:

    Message: [client x.x.x.x] mod_security: Access denied with code 406, [Rule: '' ''] [severity "WARNING"] [MatchedString ""]

Share This Page