mod_sec partial failure

[edigest]

I have the latest LiteSpeed, latest CPanel and mod_sec 2.7x installed via cpanel/easyapache.

mod_security is only partially working. Simple useragents are blocked, but more complex UAs are not. For example, these work:

SecRule HTTP_USER_AGENT "ati2qs" "id:330001,rev:1,phase:2,t:none,t:lowercase,status:403,log"
SecRule HTTP_USER_AGENT "rarely used" "id:330170,rev:1,phase:2,t:none,t:lowercase,status:403,log"

But these do not:

SecRule HTTP_USER_AGENT "mail.ru_bot/2.0" "id:330121,rev:1,phase:2,t:none,t:lowercase,status:403,log"
SecRule HTTP_USER_AGENT "mj12bot/v1.4.4" "id:330123,rev:1,phase:2,t:none,t:lowercase,status:403,log"

Nor does it work replacing HTTP_USER_AGENT with REQUEST_HEADERS:User-Agent.

SecRule REQUEST_HEADERS:User-Agent "mail.ru_bot/2.0" "id:330121,rev:1,phase:2,t:none,t:lowercase,status:403,log"
SecRule REQUEST_HEADERS:User-Agent "mj12bot/v1.4.4" "id:330123,rev:1,phase:2,t:none,t:lowercase,status:403,log"

What am I missing?

 

[edigest]

Anybody? LiteSpeed staff?

Just to be clear, if the UA is very simple such as "ati2qs" mod_sec blocks it with the rule above.

But if the UA is more complex, such as

Mozilla/5.0 (compatible; MJ12bot/v1.4.4; http://www.majestic12.co.uk/bot.php?+)

then filtering for "MJ12bot" (or "MJ12bot/v1.4.4") does not block the bot.

 

[edigest]

SOLVED modsec partial failure

Interesting - Apache doesn't care about the order of the rule elements and honors SecDefaultAction. Apparently, LiteSpeed cares about the order and does not honor SecDefaultAction.

Several formats, including those in the original post, work fine with Apache but do not always work on LiteSpeed.

YMMV, but this format & order works in all cases for me on LiteSpeed:

SecRule REQUEST_HEADERS:User-Agent "MJ12bot" "phase:2,t:none,deny,status:403,id:330123,rev:1,severity:2,log,msg:'Bad Bot MJ12'"