Request Filtering not working...

#1
I have tried the following :

Included a conf file into httpd.conf which contains...

SecFilterEngine On
SecServerSignature "Litespeed"
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecDebugLog logs/modsec-debug_log
SecDebugLogLevel 4
SecTmpDir /tmp
SecUploadKeepFiles Off
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,auditlog,status:412"

# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"

I have tried enabling and disabling Request filters with this entry.

I have also tried putting an entry directly into the list which doesn't seem to work either.

What am I missing here?
 
#3
Um, sorry for not making that clear. We are evaluating Enterprise trial edition at present.
Or are you stating that only the full license supports mod_security rules?
(We were hoping to evaluate this on Litespeed particularly as Apache runs like a dog on our ruleset).
 
#5
I know it SHOULD be.

But that's why I have raised this issue.
It's not.

I created a subdir called bin.
In this I placed a script called websendmail. (just a junk script that does not perform this function)

I can access this although I should not be able too...

Test url is http://test.plesk-bsd2.hosting.isx.net.nz/websendmail

Rule is :
SecFilterSelective THE_REQUEST "/websendmail" "log,pass,id:sid815,rev:9,msg:'WEB-CGI websendmail access'"
 
#7
There is no audit_log generated.

It's defined in an Include file under the httpd.conf to be :

logs/audit_log

It's not is {$litespeedhome}/logs.
It's not in /var/logs
It's not in {$vhostlogdir}

If I change the rule to deny it does not block.

Together, these two actions make me think it's not working at all.

You have looked at this server before; when you get a spare moment would you like to do so again? :)
 

mistwang

LiteSpeed Staff
#9
Check your "ServerRoot" directive in httpd.conf, audit_log should be at
<ServerRoot>/logs/audit_log

with LSWS 3.3.7 release.

There is no audit_log generated.

It's defined in an Include file under the httpd.conf to be :

logs/audit_log

It's not is {$litespeedhome}/logs.
It's not in /var/logs
It's not in {$vhostlogdir}

If I change the rule to deny it does not block.

Together, these two actions make me think it's not working at all.

You have looked at this server before; when you get a spare moment would you like to do so again? :)
 
#10
Hmm. It wasn't going at all as I suspected

When Litespeed looked at the line :

Include etc/apache2/Includes/*.conf

in the httpd.conf, it was only including one of the files in there.
As such, it did not load the other include files, one of which one had the mod_security rules defined in it.

Manually specifying this file has made it all work! Yaay!
 
#13
Not yet.

The upgrade up to 3.3.6 was as simple as clicking the upgrade link.

The upgrade to 3.3.7-ent is a download link.

I had downloaded the product a while ago but haven't got around to reading any release notes and/or applying the upgrade yet. I'll do that shortly...
 
Top