SecAction phase:2 skipAfter kills modsecurity

[AndyB78]

Hi,

I was wondering if LiteSpeed should have any issue with this kind of mod_security directive:

SecAction phase:2,pass,nolog,skipAfter:1234123450,id:1234123411

My problem is that the rule list stops being processed at any such line. I didn't know why mod_security is not working on our LiteSpeed servers only to find out that the above directive is killing it. Rules are processed until any such directive and after it, no rule is processed. I had to comment out all SecAction...skipAfter directives to make it somewhat work.

What do you think is the problem?

Thanks!

 

[mistwang]

skipAfter:1234123450

By definition, modsec engine will location rule with id of 1234123450, or matching SecMarker, then jump to next rule. If cannot find any thing match, the whole rule set will be skipped.

 

[AndyB78]

But the skipAfter target exists.

 

[mistwang]

What is the target.
SecMarker 1234123450

or

SecRule ... "id:1234123450"

If you use SecMarker, use a non-numeric ID to avoid confusion.
If you use SecRule, make sure the ID value is less than the maximum value of 32bit integer.

 

[AndyB78]

The target is a SecRule and I believe 1.234.123.450 falls inside a 32bit integer scope.

 

[mistwang]

Please try latest build of LSWS 5.0.7

/usr/local/lsws/admin/misc/lsup.sh -f -v 5.0.7

Should be fixed.