mod_security
- Thread starter markb1439
- Start date
regarding mod_security compatibility, please refer the wiki page:
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility
can you specify which basic rule sets not support ?
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility
can you specify which basic rule sets not support ?
You state in the post I quoted that you dont support
the wiki states that
But yet you dont support even the basic core ruleset:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
it doesnt matter if I disable lua xml or even all of the configuration files except say the basic one:
modsecurity_crs_40_generic_attacks.conf
or
modsecurity_crs_41_xss_attacks.conf
or
modsecurity_crs_41_sql_injection_attacks.conf
None of them work with litespeed even with a single simple ruleset used... much less the 20 rulesets that are part of the core ruleset
so to say you are compatible at all is a lie.
1. xml related.
2. pdf related.
3. lua script (we are investigating, may add, but low priority)
4. geo lookup (duplicate with mod_geoip, can use env added by mod_geoip)
5. inspecting response body (still evaluating)
6. executing external script
2. pdf related.
3. lua script (we are investigating, may add, but low priority)
4. geo lookup (duplicate with mod_geoip, can use env added by mod_geoip)
5. inspecting response body (still evaluating)
6. executing external script
Not Yet Support Features
scan response header/body.(Note: request header/body are supported)
scan attached files content in multi-part upload
PDF functions
lua
parsing XML
scan response header/body.(Note: request header/body are supported)
scan attached files content in multi-part upload
PDF functions
lua
parsing XML
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
it doesnt matter if I disable lua xml or even all of the configuration files except say the basic one:
modsecurity_crs_40_generic_attacks.conf
or
modsecurity_crs_41_xss_attacks.conf
or
modsecurity_crs_41_sql_injection_attacks.conf
None of them work with litespeed even with a single simple ruleset used... much less the 20 rulesets that are part of the core ruleset
so to say you are compatible at all is a lie.
We pay for litespeed as a product, it is not free it is not open source it is paid monthly and it is expensive, more expensive than any other component of web hosting except for the physical server itself.
We expect litespeed to take security seriously especially since it is a paid product. It is sad that there is better security support in the opensource apache which is free.
I understand supporting Atomic's rulesets are a chore... they are a damn chore to figure out just using apache which they were developed for.
But OWASP's modsecurity core ruleset is basic and simple and litespeed should make the effort to support at least their core ruleset.
I understand that litespeed is closed source which makes this a chore for you guys to maintain as stuff changes with the rulesets but either come up with a way for OWASP to be compatible or come up with your own rulesets
we pay a hefty price for your product and we deserve to have better support than this... this is what you are telling your customers in a nutshell:
"We support mod_security! .... but we are not going to tell you what rulesets will actually help protect your system and you can spend hours upon hours trying to make your own and testing which ones will actually work because we dont really support mod_security we just say we do."
That is not the kind of attitude a paid product should support... you should get your product up to snuff to support the basic open standard rulesets that are out there... or provide your customers with a list of rulesets that actually work to protect their systems.
We expect litespeed to take security seriously especially since it is a paid product. It is sad that there is better security support in the opensource apache which is free.
I understand supporting Atomic's rulesets are a chore... they are a damn chore to figure out just using apache which they were developed for.
But OWASP's modsecurity core ruleset is basic and simple and litespeed should make the effort to support at least their core ruleset.
I understand that litespeed is closed source which makes this a chore for you guys to maintain as stuff changes with the rulesets but either come up with a way for OWASP to be compatible or come up with your own rulesets
we pay a hefty price for your product and we deserve to have better support than this... this is what you are telling your customers in a nutshell:
"We support mod_security! .... but we are not going to tell you what rulesets will actually help protect your system and you can spend hours upon hours trying to make your own and testing which ones will actually work because we dont really support mod_security we just say we do."
That is not the kind of attitude a paid product should support... you should get your product up to snuff to support the basic open standard rulesets that are out there... or provide your customers with a list of rulesets that actually work to protect their systems.
You mean mod security is not on your priority list... Like I stated you fail to provide any list of any rules that actually work with litspeed... if none of the available rules anywhere on the internet work with Litespeed.. How cam you claim you support mod security because you dont.. Nor are you an apache drop in replacement.
Because unlike you security actually matters to us and your other customers.
And you wont even take the time to make sure we can defend against common web application attacks... So in turn what you are tellinf us is liteapped is a supporter of the hackinf world and they promote insecure systems.
You dont support mod security any of the rules so quit saying yo do it is false advertisement.
We have tried all the rules none work.so until you provide a set of rules that do work itbis safe to say you are liars about supporting mod security
Because unlike you security actually matters to us and your other customers.
And you wont even take the time to make sure we can defend against common web application attacks... So in turn what you are tellinf us is liteapped is a supporter of the hackinf world and they promote insecure systems.
You dont support mod security any of the rules so quit saying yo do it is false advertisement.
We have tried all the rules none work.so until you provide a set of rules that do work itbis safe to say you are liars about supporting mod security
webizen,
why do I feel like I am talking in cirlces with you guys... read my posts above I showed you many rules which none of them work... I have tried every single ruleset available on the internet. None of them work.
SO why dont you as a company support your product and actually show us a ruleset that does work? instead you keep avoiding the fact that you have never provided a ruleset to anyone of your customers which actually works.
Why because they dont otherwise you would provide that list in your documentation ..
it shouldnt be me sending you all 100,000 rules that are available to show you that none fo them work...
it should be you showing your paying customers what rules actually work.
None of the OWASP rules work... none!
Maybe just maybe a small amount of atomics rules work, but I have yet to figure out which ones... but the list of supported atomic rules is so small that you might as well not use it at all cause those couple rules out of 1000's that dont work is going to provide much protection at all.
So why dont you show your customers what rules actually do work and what you do support because it is BS that you believe that your PAYING customers each by themselves should spend hundreds of hours writing out their own rulesets (if they have that knowledge) and testing through trial and error if those ruleset will even work.
And then once they get just a handful of rules that do work... the time was a waste because their limitations didnt allow them to load a ruleset that actually protects the system from any significant amount of attacks.
Search your own damn forums there is literally 100's of customers who ask you to fix the mod security compatiblity but yet you say things like "its low priority if there is more demand for it we might do it.
Why dont you remove mod security support and just tell people you dont support it, or get off your butts and provide a ruleset that will actually help protect systems from more than just a handful of attacks.
I asked you to support OWASP ruleset because it is very basic core ruleset and would be easy for you guys to make work, easier than atomic's ruleset would be but you guys dont want to support any rulesets or provide any rulesets so
Yes it is confirmed you dont support mod security...
why do I feel like I am talking in cirlces with you guys... read my posts above I showed you many rules which none of them work... I have tried every single ruleset available on the internet. None of them work.
SO why dont you as a company support your product and actually show us a ruleset that does work? instead you keep avoiding the fact that you have never provided a ruleset to anyone of your customers which actually works.
Why because they dont otherwise you would provide that list in your documentation ..
it shouldnt be me sending you all 100,000 rules that are available to show you that none fo them work...
it should be you showing your paying customers what rules actually work.
None of the OWASP rules work... none!
Maybe just maybe a small amount of atomics rules work, but I have yet to figure out which ones... but the list of supported atomic rules is so small that you might as well not use it at all cause those couple rules out of 1000's that dont work is going to provide much protection at all.
So why dont you show your customers what rules actually do work and what you do support because it is BS that you believe that your PAYING customers each by themselves should spend hundreds of hours writing out their own rulesets (if they have that knowledge) and testing through trial and error if those ruleset will even work.
And then once they get just a handful of rules that do work... the time was a waste because their limitations didnt allow them to load a ruleset that actually protects the system from any significant amount of attacks.
Search your own damn forums there is literally 100's of customers who ask you to fix the mod security compatiblity but yet you say things like "its low priority if there is more demand for it we might do it.
Why dont you remove mod security support and just tell people you dont support it, or get off your butts and provide a ruleset that will actually help protect systems from more than just a handful of attacks.
I asked you to support OWASP ruleset because it is very basic core ruleset and would be easy for you guys to make work, easier than atomic's ruleset would be but you guys dont want to support any rulesets or provide any rulesets so
Yes it is confirmed you dont support mod security...
Some other threads of people wondering why the rulesets dont work: some gone un-answered its like you guys are avoiding mod security like the plague
http://www.litespeedtech.com/support/forum/showthread.php?t=5203
http://www.litespeedtech.com/support/forum/showthread.php?t=2697
http://www.litespeedtech.com/support/forum/showthread.php?t=4727
THird party forum:
https://www.atomicorp.com/forums/viewtopic.php?f=14&t=4222
Quoted from that link:
Even the first through 3rd page of this thread is full of people who cant get any rule sets to work:
http://www.litespeedtech.com/support/forum/showthread.php?t=4619
It is funny here is a quote you guys wrote on your blog:
http://blog.litespeedtech.com/tag/LiteSpeed/
hmm weird I am an enterprise customer doesn't seem like I am being listened to. Heck its even hard to get you guys to respond which is why I am getting so frustrated.
All your customers want to see, is here we support these rulesets upload them to your server and restart litespeed....
Please provide rulesets or add support for OWASP if you dont want to maintain the rules.
http://www.litespeedtech.com/support/forum/showthread.php?t=5203
http://www.litespeedtech.com/support/forum/showthread.php?t=2697
http://www.litespeedtech.com/support/forum/showthread.php?t=4727
THird party forum:
https://www.atomicorp.com/forums/viewtopic.php?f=14&t=4222
Quoted from that link:
As may already know, Litespeed does not use or support mod_security. It does not include it or use, rather they created their own undocumented WAF module module that supposedly supports mod_security rules, but does not. It supports an undocumented subset of the mod_security rule language, and another subset (also undocumented) of modsecurity features and it also may not even work the same as modsecurity. Did I mention its undocumented?
With that said, understand the rules are not generating errors, litespeed WAF is creating the errors because it doesnt actually support modsecurity. If they documented their engine we could look at what rules might be possible for their webserver, but so far we and others have had no luck getting that information.
With that said, understand the rules are not generating errors, litespeed WAF is creating the errors because it doesnt actually support modsecurity. If they documented their engine we could look at what rules might be possible for their webserver, but so far we and others have had no luck getting that information.
Even the first through 3rd page of this thread is full of people who cant get any rule sets to work:
http://www.litespeedtech.com/support/forum/showthread.php?t=4619
It is funny here is a quote you guys wrote on your blog:
http://blog.litespeedtech.com/tag/LiteSpeed/
Our enterprise users have requested this feature and as always, we listen to our customers.
All your customers want to see, is here we support these rulesets upload them to your server and restart litespeed....
Please provide rulesets or add support for OWASP if you dont want to maintain the rules.
Hi,
I tried to add the following mod_security lines to my rules but don't work with Litespeed (it's from CXS). If I switch to Apache CXS is detecting infected files, but with Litespeed it didn't work. Could you please manage to get working ?:
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
SecTmpDir /tmp
I tried to add the following mod_security lines to my rules but don't work with Litespeed (it's from CXS). If I switch to Apache CXS is detecting infected files, but with Litespeed it didn't work. Could you please manage to get working ?:
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
SecTmpDir /tmp
FILES_TMPNAMES not supported. Try suhosin.upload.verification_script:
http://www.litespeedtech.com/support/forum/showthread.php?t=4795&page=2
http://www.litespeedtech.com/support/forum/showthread.php?t=4795&page=2
FYI:
here's a good reference for @inspectFile
http://www.litespeedtech.com/support/forum/showthread.php?t=6599
here's a good reference for @inspectFile
http://www.litespeedtech.com/support/forum/showthread.php?t=6599
mod_security has been constantly adding new features as well as gotroot rulesets being updated, so do we to keep up with it.
The latest 4.2.1 build should work well with gotroot ruleset.
The latest 4.2.1 build should work well with gotroot ruleset.
No matter what you tried to load, everything gave a 406:
Message: [client x.x.x.x] mod_security: Access denied with code 406, [Rule: '' ''] [severity "WARNING"] [MatchedString ""]