Request Filters

[JasonWSInc]

Hi there. I could use some help getting LiteSpeed Request Filters figured out please. I'm attaching some screenshots to show my current configuration. Problem: With the configuration you see in the screenshots, LiteSpeed is not "passing" on either of the two Request Filter Rule Sets that I've got, can you please explain why? Both the Rules are being denied, but I only want them to be logged, and then pass through silent, allowing access (this is just a test so I can understand how things work).

My Default Action is: log,deny,status:403
Each Rule Set has the Action: msg:"[message]",pass

I guess I'm not understanding something? After reading the documentation on mod_security, I thought that a Disruptive Action of "pass" in the Rule Set, would override that of the Default Action, which is "deny". Is that not correct?

 

[NiteWave]

I thought that a Disruptive Action of "pass" in the Rule Set, would override that of the Default Action, which is "deny". Is that not correct?

I did local test, the result is : yes, should override.

the attached picture is not clear.

 

[JasonWSInc]

Thanks. Here are better screenshots.
http://img16.imageshack.us/img16/8712/snag0039.png
http://img827.imageshack.us/img827/5732/snag0038.png

I did local test, the result is : yes, should override.

Sorry, does that mean that my assumption is correct then? My rules SHOULD be passing, instead of triggering a 403 status and denying the request?

What is happening is that these rules which are configured to "pass" are still being denied with a 403 status. I'm not sure if I have something configured incorrectly, or I'm missing something, or if it's a bug. Any help is appreciated. Thank you so much!

 

[NiteWave]

still can't view the image.

My rules SHOULD be passing

right

 

[JasonWSInc]

Thank you. I'll test again just to be sure.

I posted links to the images. Here they are:

http://img16.imageshack.us/img16/8712/snag0039.png
http://img827.imageshack.us/img827/5732/snag0038.png

I tried uploading them to the forum, but your system re-sized them on me.

 

[webizen]

Thank you. I'll test again just to be sure.

...

You should enable audit logging to troubleshoot.

 

[JasonWSInc]

Audit logging is enabled, as seen in the screenshots I attached. That's how I know it's not working as expected. These rules are being triggered even though they're suppose to pass.

 

[JasonWSInc]

I'm running Litespeed Web Server Enterprise v4.1.10 with FireHost on Ubuntu 64-bit.

 

[webizen]

Audit logging is enabled, as seen in the screenshots I attached. That's how I know it's not working as expected. These rules are being triggered even though they're suppose to pass.

Sorry for the confusion. Yes, you may put 'log,' in the override rule to update audit log.

tested on ubuntu 11.10 64bit env in our lab. override rules are in effect: when 'pass' is used, no blockage.

btw, are you using lsws native vhost or you have apache vhost in httpd.conf?

 

[JasonWSInc]

I'm running with native vhost configuration, no Apache configuration file. Everything I've done so far is through the web console for LiteSpeed.

I'll test this again tonite and see if I can find out more. Until then, if you have any other ideas, please let me know.

 

[webizen]

if you still experience blockage, pls paste the error log excerpt for the blockage in question also the related entries from audit log.