Cannot enable mod security "@inspectFile" on litespeed, while working with Apache (Solved)

H

human_bieng2020

Member
#1
#1
Hello there
I have CentOS WHM/Cpanel server then switched from Apache to Litespeed
My Litespeed version is 5.3.7 (build 4)
But i found that modsecurity @inspectFile cannot applied to scan uploaded file, while if i switched to Apache it works without any problem !
I have installed Comodo ModSecurity LiteSpeed Rules using the following guide in order to test ModSecurity with Litespeed
https://help.comodo.com/topic-212-1-670-8350-.html
And it works when verified using any domain inside server
Code: 
http://mydomain.tld/?a=b AND 1=1
http://mydomain.tld/?cwaf_test_request=a12875a9e62e1ecbcd1dded1879ab06949566276
Till now Modsecurity working without any problem with LiteSpeed
Does ModSecurity @inspectFile cannot be used with LiteSpeed ?
I uses the following rule
Code: 
SecRule FILES_TMPNAMES "@inspectFile /path/to/scan.sh" "phase:2,deny,redirect:http://domain.tld/denied.html,id:1"
I have checked permissions & ownership of uploaded directory & scan script & no information within log files
I also have tried to include the privous rule directly to Comodo rules but also not working & no information within log files
Could anyone there help me ? the same rule was already working with Apache but doesnt work with litespeed !! also the same rule works if i switched to Apache !!
 
Last edited by a moderator:
H

human_bieng2020

Member
#5
#5
Last edited by a moderator:
Unique_Eric

Unique_Eric

Administrator
Staff member
#6
#6
The post you found was in 2013, whereas this feature was being added from 2016
```
LSWS 5.1(1-13-2016)Feature enhancements and bug fixes
  • Updated mod_security engine with support for @rbl and @inspectfile operators.
```
 
H

human_bieng2020

Member
#7
#7
Unique_Eric said:
The post you found was in 2013, whereas this feature was being added from 2016
```
LSWS 5.1(1-13-2016)Feature enhancements and bug fixes
  • Updated mod_security engine with support for @rbl and @inspectfile operators.
```
Click to expand...
Hello Unique thank you so much
Now i used the following modsecurity rule
Code: 
SecRule FILES_TMPNAMES "@inspectFile /path/to/scan.sh" "phase:2,deny,redirect:http://domain.tld/denied.html,id:1"
The previous rule works with Apache while if litespeed enabled it didnt work
Also no log informations output within modsecurity "audit.log" file
the "/path/to/scan.sh" script suppose to check uploaded files for virus & i tried uploading "eicar" test virus
but the same rules & same script works only if Apache enabled, while doesnt work with litespeed !! how this could be ??
Does my rule isnt compatible with litespeed modsecurity ??? Why WAF comodo rules working while not this rule ??
Any help will be appreciated
Thanks in advance
 
P

Pong

Administrator
Staff member
#8
#8
Looks like "redirect" action may not be supported by LiteSpeed at the moment. could you try with status coce return only without redirect to see if it works or not?
 
H

human_bieng2020

Member
#9
#9
Pong said:
Looks like "redirect" action may not be supported by LiteSpeed at the moment. could you try with status coce return only without redirect to see if it works or not?
Click to expand...
Hi Pong
I tried without redirect & instead used "status:418", but still couldnt catch eicar virus test file
This issue is gotting me crazy because it works within Apache while doesnt work with Litespeed !!
 
Last edited:
H

human_bieng2020

Member
#12
#12
Hello everyone
After i contacted LiteSpeed support the solution for the problem is as follows
Code: 
in order for "@inspect" feature to work your script return output should start with 0 to block the request and 1 to continue/pass the test rule
 
Last edited:
You must log in or register to reply here.
Top