mod_security

QuantumNet

Well-Known Member
#41
got it. support for SecMarker and skipAfter action is required, should be easy to implement. We do assume rule ID is numeric though, all examples given in modsec document are integers.

We are adding more features for our 4.1 release to improve the compatibility with modsec 2.5, however, there is some feature we wont consider to support right now:

1. xml related.
2. pdf related.
3. lua script (we are investigating, may add, but low priority)
4. geo lookup (duplicate with mod_geoip, can use env added by mod_geoip)
5. inspecting response body (still evaluating)
6. executing external script

We do not plan to implement features mainly because, some features may rely on third party libraries, and the license of that library may not allow us to incorporate into our product; some features may severely slow down the non-blocking, single-thread process, especially, when large amount of data need to be processed, it is fatal. We have seen even PCRE hanging lshttpd process with 100% cpu.

Hope it will make it a little bit clearer with our mod_sec support.
BTW: we will publish a document regarding what feature is supported, what is not, after our 4.1 release settled.

You dont even support the basic rule sets for it much less any of the advanced ones you mentioned not supporting.

We cannot even use the basic config
 

QuantumNet

Well-Known Member
#43
You state in the post I quoted that you dont support

1. xml related.
2. pdf related.
3. lua script (we are investigating, may add, but low priority)
4. geo lookup (duplicate with mod_geoip, can use env added by mod_geoip)
5. inspecting response body (still evaluating)
6. executing external script
the wiki states that
Not Yet Support Features

scan response header/body.(Note: request header/body are supported)
scan attached files content in multi-part upload
PDF functions
lua
parsing XML
But yet you dont support even the basic core ruleset:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

it doesnt matter if I disable lua xml or even all of the configuration files except say the basic one:

modsecurity_crs_40_generic_attacks.conf

or
modsecurity_crs_41_xss_attacks.conf

or

modsecurity_crs_41_sql_injection_attacks.conf


None of them work with litespeed even with a single simple ruleset used... much less the 20 rulesets that are part of the core ruleset

so to say you are compatible at all is a lie.
 

QuantumNet

Well-Known Member
#44
We pay for litespeed as a product, it is not free it is not open source it is paid monthly and it is expensive, more expensive than any other component of web hosting except for the physical server itself.

We expect litespeed to take security seriously especially since it is a paid product. It is sad that there is better security support in the opensource apache which is free.

I understand supporting Atomic's rulesets are a chore... they are a damn chore to figure out just using apache which they were developed for.

But OWASP's modsecurity core ruleset is basic and simple and litespeed should make the effort to support at least their core ruleset.

I understand that litespeed is closed source which makes this a chore for you guys to maintain as stuff changes with the rulesets but either come up with a way for OWASP to be compatible or come up with your own rulesets

we pay a hefty price for your product and we deserve to have better support than this... this is what you are telling your customers in a nutshell:

"We support mod_security! .... but we are not going to tell you what rulesets will actually help protect your system and you can spend hours upon hours trying to make your own and testing which ones will actually work because we dont really support mod_security we just say we do."


That is not the kind of attitude a paid product should support... you should get your product up to snuff to support the basic open standard rulesets that are out there... or provide your customers with a list of rulesets that actually work to protect their systems.
 

QuantumNet

Well-Known Member
#45
P.S. do some googling there is actually several hosting companies leaving litespeed because you give the impression that security is a joke and not to be taken seriously
 

QuantumNet

Well-Known Member
#48
You mean mod security is not on your priority list... Like I stated you fail to provide any list of any rules that actually work with litspeed... if none of the available rules anywhere on the internet work with Litespeed.. How cam you claim you support mod security because you dont.. Nor are you an apache drop in replacement.

Because unlike you security actually matters to us and your other customers.

And you wont even take the time to make sure we can defend against common web application attacks... So in turn what you are tellinf us is liteapped is a supporter of the hackinf world and they promote insecure systems.

You dont support mod security any of the rules so quit saying yo do it is false advertisement.

We have tried all the rules none work.so until you provide a set of rules that do work itbis safe to say you are liars about supporting mod security
 

webizen

Well-Known Member
#50
if you have any specific rules don't work for you, send to info@, we will evaluate and provide you with our decision and eta if we decide to put on to-do list.
 

QuantumNet

Well-Known Member
#51
webizen,

why do I feel like I am talking in cirlces with you guys... read my posts above I showed you many rules which none of them work... I have tried every single ruleset available on the internet. None of them work.

SO why dont you as a company support your product and actually show us a ruleset that does work? instead you keep avoiding the fact that you have never provided a ruleset to anyone of your customers which actually works.

Why because they dont otherwise you would provide that list in your documentation ..

it shouldnt be me sending you all 100,000 rules that are available to show you that none fo them work...

it should be you showing your paying customers what rules actually work.

None of the OWASP rules work... none!

Maybe just maybe a small amount of atomics rules work, but I have yet to figure out which ones... but the list of supported atomic rules is so small that you might as well not use it at all cause those couple rules out of 1000's that dont work is going to provide much protection at all.


So why dont you show your customers what rules actually do work and what you do support because it is BS that you believe that your PAYING customers each by themselves should spend hundreds of hours writing out their own rulesets (if they have that knowledge) and testing through trial and error if those ruleset will even work.

And then once they get just a handful of rules that do work... the time was a waste because their limitations didnt allow them to load a ruleset that actually protects the system from any significant amount of attacks.

Search your own damn forums there is literally 100's of customers who ask you to fix the mod security compatiblity but yet you say things like "its low priority if there is more demand for it we might do it.


Why dont you remove mod security support and just tell people you dont support it, or get off your butts and provide a ruleset that will actually help protect systems from more than just a handful of attacks.



I asked you to support OWASP ruleset because it is very basic core ruleset and would be easy for you guys to make work, easier than atomic's ruleset would be but you guys dont want to support any rulesets or provide any rulesets so

Yes it is confirmed you dont support mod security...
 

QuantumNet

Well-Known Member
#52
Some other threads of people wondering why the rulesets dont work: some gone un-answered its like you guys are avoiding mod security like the plague

http://www.litespeedtech.com/support/forum/showthread.php?t=5203

http://www.litespeedtech.com/support/forum/showthread.php?t=2697

http://www.litespeedtech.com/support/forum/showthread.php?t=4727


THird party forum:
https://www.atomicorp.com/forums/viewtopic.php?f=14&t=4222

Quoted from that link:
As may already know, Litespeed does not use or support mod_security. It does not include it or use, rather they created their own undocumented WAF module module that supposedly supports mod_security rules, but does not. It supports an undocumented subset of the mod_security rule language, and another subset (also undocumented) of modsecurity features and it also may not even work the same as modsecurity. Did I mention its undocumented?

With that said, understand the rules are not generating errors, litespeed WAF is creating the errors because it doesnt actually support modsecurity. If they documented their engine we could look at what rules might be possible for their webserver, but so far we and others have had no luck getting that information.

Even the first through 3rd page of this thread is full of people who cant get any rule sets to work:

http://www.litespeedtech.com/support/forum/showthread.php?t=4619


It is funny here is a quote you guys wrote on your blog:
http://blog.litespeedtech.com/tag/LiteSpeed/
Our enterprise users have requested this feature and as always, we listen to our customers.
hmm weird I am an enterprise customer doesn't seem like I am being listened to. Heck its even hard to get you guys to respond which is why I am getting so frustrated.

All your customers want to see, is here we support these rulesets upload them to your server and restart litespeed....

Please provide rulesets or add support for OWASP if you dont want to maintain the rules.
 

DanEZPZ

Well-Known Member
#53
I echo pretty much everything QuantumNet has said.

I've tried various rules using different methods and nothing appears to be working.

Why can't you guys just post a few examples of rules that you know to work to save everyone a lot of headache and trial and error?
 
#54
4.1.13 says "Improved compatibility of Apache mod_security."

Any further information on that? Searching the forums for mod_security is a bit disheartening as it seems the staff are avoiding the topic all together.
 
#55
Has there been any further update to this? Does anyone know if the gotroot or mod_security rules in general are any better supported? There has been a string of Litespeed releases now which claims to have improved mod_Security support.
 

mistwang

LiteSpeed Staff
#56
mod_security has been constantly adding new features as well as gotroot rulesets being updated, so do we to keep up with it.
The latest 4.2.1 build should work well with gotroot ruleset.
 
#57
Hi,

I tried to add the following mod_security lines to my rules but don't work with Litespeed (it's from CXS). If I switch to Apache CXS is detecting infected files, but with Litespeed it didn't work. Could you please manage to get working ?:
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
SecTmpDir /tmp
 

XN-Matt

Well-Known Member
#60
mod_security has been constantly adding new features as well as gotroot rulesets being updated, so do we to keep up with it.
The latest 4.2.1 build should work well with gotroot ruleset.
I'm not so sure. Tried it with 4.2.1.

No matter what you tried to load, everything gave a 406:

Message: [client x.x.x.x] mod_security: Access denied with code 406, [Rule: '' ''] [severity "WARNING"] [MatchedString ""]
 
Top