ModSec @rbl Operator

Discussion in 'Bug Reports' started by Private, Sep 25, 2013.

  1. Private

    Private Member


    I want to block IPs in RBL blacklist. I tried below modsec rules from OWASP.

    SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:'981137',t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"
      SecRule REMOTE_ADDR "@rbl" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
      SecAction "phase:1,id:'981139',t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"
    SecMarker END_RBL_LOOKUP
    SecRule IP:SPAMMER "@eq 1" "phase:1,id:'981140',t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
    SecMarker END_RBL_CHECK
    It didn't work. I tested with LiteSpeed 4.2.2 and 4.2.4. Does LiteSpeed support @rbl operator?
  2. mistwang

    mistwang LiteSpeed Staff

    No LiteSpeed does not support @rbl, it is very hard to do for a non-blocking event-driven server as it need to query a server on the network.
  3. Private

    Private Member

    Is @inspectFile supported?

    Any features for @rbl replacement?
  4. NiteWave

    NiteWave Administrator

  5. Dan M

    Dan M New Member

    Is there any update on support for @rbl?
    Perhaps we don't mind a performance penalty if we are only doing lookups for certain requests and use some sort of mechanism to prevent repeated lookups of the same IP?
  6. Michael

    Michael Well-Known Member Staff Member

    @RBL is still not supported, though we will be working on implementation that should allow for support in the future. This is still a number of steps away, though. Without implementation allowing for processing these queries in a separate queue, this kind of rule would completely block the web server while it is being processed. That would be death for page load time.


  7. Dan M

    Dan M New Member

    Thanks for the update. It would be really helpful if you had a wiki page with all the supported mod_security features listed, I wasted several days trying to get this to work only to find this thread after much searching!
  8. Michael

    Michael Well-Known Member Staff Member

    Point taken. The issue with that is that there are so many ModSecurity features out there. Right now, we have a very simple wiki outlining the groups of rules we don't support. In the future, though, it would be ideal to have a list of unsupported rules. We don't have time to compile this list at the moment, but I'm making a note to set it up. The best solution might be for the list to be community maintained, with people reporting unsupported rules and we can confirm them.



Share This Page