Request Filters

Discussion in 'Install/Configuration' started by JasonWSInc, Jan 22, 2012.

  1. JasonWSInc

    JasonWSInc Member

    Hi there. I could use some help getting LiteSpeed Request Filters figured out please. I'm attaching some screenshots to show my current configuration. Problem: With the configuration you see in the screenshots, LiteSpeed is not "passing" on either of the two Request Filter Rule Sets that I've got, can you please explain why? Both the Rules are being denied, but I only want them to be logged, and then pass through silent, allowing access (this is just a test so I can understand how things work).

    My Default Action is: log,deny,status:403
    Each Rule Set has the Action: msg:"[message]",pass

    I guess I'm not understanding something? After reading the documentation on mod_security, I thought that a Disruptive Action of "pass" in the Rule Set, would override that of the Default Action, which is "deny". Is that not correct?

    Attached Files:

  2. NiteWave

    NiteWave Administrator

    I did local test, the result is : yes, should override.

    the attached picture is not clear.
  3. JasonWSInc

    JasonWSInc Member

    Thanks. Here are better screenshots.

    Sorry, does that mean that my assumption is correct then? My rules SHOULD be passing, instead of triggering a 403 status and denying the request?

    What is happening is that these rules which are configured to "pass" are still being denied with a 403 status. I'm not sure if I have something configured incorrectly, or I'm missing something, or if it's a bug. Any help is appreciated. Thank you so much!
  4. NiteWave

    NiteWave Administrator

    still can't view the image.

  5. JasonWSInc

    JasonWSInc Member

  6. webizen

    webizen Well-Known Member

    You should enable audit logging to troubleshoot.
    Last edited: Jan 23, 2012
  7. JasonWSInc

    JasonWSInc Member

    Audit logging is enabled, as seen in the screenshots I attached. That's how I know it's not working as expected. These rules are being triggered even though they're suppose to pass.
  8. JasonWSInc

    JasonWSInc Member

    I'm running Litespeed Web Server Enterprise v4.1.10 with FireHost on Ubuntu 64-bit.
  9. webizen

    webizen Well-Known Member

    Sorry for the confusion. Yes, you may put 'log,' in the override rule to update audit log.

    tested on ubuntu 11.10 64bit env in our lab. override rules are in effect: when 'pass' is used, no blockage.

    btw, are you using lsws native vhost or you have apache vhost in httpd.conf?
  10. JasonWSInc

    JasonWSInc Member

    I'm running with native vhost configuration, no Apache configuration file. Everything I've done so far is through the web console for LiteSpeed.

    I'll test this again tonite and see if I can find out more. Until then, if you have any other ideas, please let me know.
  11. webizen

    webizen Well-Known Member

    if you still experience blockage, pls paste the error log excerpt for the blockage in question also the related entries from audit log.

Share This Page