LSWS 4.2.2 VS mod_security

DraCoola

Well-Known Member
#1
Latest 4.2.2 build won't block with this simple rule :

####
SecRule REQUEST_URI "/any-folder/.+/filename.\php" "id:20202020,rev:1,severity:2,msg:'must be denied',deny" \
####

Performing /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.1 and then the rule above did block filename.php as it should be.



Please fix it :(
 
Last edited:

DraCoola

Well-Known Member
#4
Hi NiteWave,

Thank you, I will waiting so much for that next build.
By the way :

-----------------
lsphp5:/home/username/andsoon
-----------------

will be more neat than :

-----------------
/usr/local/lsws/fcgi-bin/lsphp5:/home/username/andsoon
-----------------

that you are using now on 4.2.2, while running top -c in ssh
 
Last edited:

DraCoola

Well-Known Member
#8
by the way I hope next build of lsws will revert back to neat old fashion of lsws processing as bellow :





because newest build showing too long line of process :

 

brrr

Well-Known Member
#10
After several years of running the same rules on LSWS Standard without any problem all the way up to 4.2.1, I just upgraded to 4.2.2 and now see a lot of this:

2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT

The rules are simple ones that looks like this:

SecFilterSelective HEADER_USER_AGENT ^Morfeus
or
SecFilterSelective HEADER_USER_AGENT "Toata"
And the action is:
log,deny,status:404,msg:'Badbot blocked'
Why do these rules break now?
 
Last edited:

DraCoola

Well-Known Member
#11
After several years of running the same rules on LSWS Standard without any problem all the way up to 4.2.1, I just upgraded to 4.2.2 and now see a lot of this:

2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.114 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT
2013-03-23 13:26:04.115 ERROR [ModSecurity] unknown server variable while parsing: HEADER_USER_AGENT

The rules are simple ones that looks like this:


or


And the action is:


Why do these rules break now?
hi brr,

you might want to try "SecRule REQUEST_HEADERS:User-Agent" than "SecFilterSelective HEADER_USER_AGENT"
 

brrr

Well-Known Member
#13
Thank you DraCoola and mistwang! Using the 2.5 syntax did work.

I should have updated the syntax to 2.5 a long time ago I suppose.

But it was a case of 'if it ain't broke, don't fix it', so up until 4.2.2, I got lazy. :)
 
Top