ModSec @rbl Operator

#1
Hello,

I want to block IPs in RBL blacklist. I tried below modsec rules from OWASP.

Code:
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:'981137',t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"
  SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"

  SecAction "phase:1,id:'981139',t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"
SecMarker END_RBL_LOOKUP

SecRule IP:SPAMMER "@eq 1" "phase:1,id:'981140',t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"

SecMarker END_RBL_CHECK
It didn't work. I tested with LiteSpeed 4.2.2 and 4.2.4. Does LiteSpeed support @rbl operator?
 

mistwang

LiteSpeed Staff
#2
No LiteSpeed does not support @rbl, it is very hard to do for a non-blocking event-driven server as it need to query a server on the network.
 

Dan M

New Member
#5
Is there any update on support for @rbl?
Perhaps we don't mind a performance penalty if we are only doing lookups for certain requests and use some sort of mechanism to prevent repeated lookups of the same IP?
 

Michael

Well-Known Member
Staff member
#6
@RBL is still not supported, though we will be working on implementation that should allow for support in the future. This is still a number of steps away, though. Without implementation allowing for processing these queries in a separate queue, this kind of rule would completely block the web server while it is being processed. That would be death for page load time.

Cheers,

Michael
 
#7
Thanks for the update. It would be really helpful if you had a wiki page with all the supported mod_security features listed, I wasted several days trying to get this to work only to find this thread after much searching!
 

Michael

Well-Known Member
Staff member
#8
Point taken. The issue with that is that there are so many ModSecurity features out there. Right now, we have a very simple wiki outlining the groups of rules we don't support. In the future, though, it would be ideal to have a list of unsupported rules. We don't have time to compile this list at the moment, but I'm making a note to set it up. The best solution might be for the list to be community maintained, with people reporting unsupported rules and we can confirm them.

Cheers,

Michael
 
Top