ModSec @rbl Operator

Discussion in 'Bug Reports' started by Private, Sep 25, 2013.

  1. Private

    Private New Member


    I want to block IPs in RBL blacklist. I tried below modsec rules from OWASP.

    SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:'981137',t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"
      SecRule REMOTE_ADDR "@rbl" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
      SecAction "phase:1,id:'981139',t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"
    SecMarker END_RBL_LOOKUP
    SecRule IP:SPAMMER "@eq 1" "phase:1,id:'981140',t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
    SecMarker END_RBL_CHECK
    It didn't work. I tested with LiteSpeed 4.2.2 and 4.2.4. Does LiteSpeed support @rbl operator?
  2. mistwang

    mistwang LiteSpeed Staff

    No LiteSpeed does not support @rbl, it is very hard to do for a non-blocking event-driven server as it need to query a server on the network.
  3. Private

    Private New Member

    Is @inspectFile supported?

    Any features for @rbl replacement?
  4. NiteWave

    NiteWave Administrator

  5. Dan M

    Dan M New Member

    Is there any update on support for @rbl?
    Perhaps we don't mind a performance penalty if we are only doing lookups for certain requests and use some sort of mechanism to prevent repeated lookups of the same IP?
  6. Michael

    Michael Active Member Staff Member

    @RBL is still not supported, though we will be working on implementation that should allow for support in the future. This is still a number of steps away, though. Without implementation allowing for processing these queries in a separate queue, this kind of rule would completely block the web server while it is being processed. That would be death for page load time.


  7. Dan M

    Dan M New Member

    Thanks for the update. It would be really helpful if you had a wiki page with all the supported mod_security features listed, I wasted several days trying to get this to work only to find this thread after much searching!
  8. Michael

    Michael Active Member Staff Member

    Point taken. The issue with that is that there are so many ModSecurity features out there. Right now, we have a very simple wiki outlining the groups of rules we don't support. In the future, though, it would be ideal to have a list of unsupported rules. We don't have time to compile this list at the moment, but I'm making a note to set it up. The best solution might be for the list to be community maintained, with people reporting unsupported rules and we can confirm them.



Share This Page