Portal Home > Knowledgebase > Articles Database > AtomiCorp withdraw delayed modsecurity rules


AtomiCorp withdraw delayed modsecurity rules




Posted by ursa-musculus, 10-23-2013, 04:57 PM
Effective today, without notice (as far as I have gathered, anyway), AtomiCorp have withdrawn their free delayed ruleset. That's a strange statement to make. The realtime and delayed rules have always differed - by 3 months. Any improvements in the realtime rules will surely trickle through to the delayed rules exactly 3 months from the date they are made. So that can't be their reason. I'd guess, then, that their reason is commercial. Not enough people are paying for the commercial ruleset, so they're withdrawing the free option. The irony is that points in the opposite direction to the statement on their website. Their statement says that the realtime rules are so much better than the delayed ones that it no longer makes sense to offer the delayed ones. If people aren't paying for the realtime rules, that must mean that the realtime rules are not better enough for people to choose to pay for them. Anyone know any more?

Posted by FLDataTeK, 10-23-2013, 05:02 PM
Looks like its true. From the wiki.. Free/Delayed Rules: A subset of the realtime rules, which were based on older version. This project was discontinued in October 2013. https://www.atomicorp.com/wiki/index...bout_the_rules

Posted by Infinitnet, 10-23-2013, 05:08 PM
That's really bad news. The delayed rules were perfect for securing mediocre sensitive web applications.

Posted by ursa-musculus, 10-23-2013, 05:09 PM
It's true alright - I got it from https://www6.atomicorp.com/channels/rules/delayed/

Posted by ursa-musculus, 10-23-2013, 05:10 PM
Anyone know how the OWASP rules compare (in effectively blocking malicious traffic without excessive false positives) to the (former) ASL delayed ruleset?

Posted by WebHostDog, 10-23-2013, 05:46 PM
For fresh exploits you need fresh rules 3 months old are not going to safe a lot.

Posted by Julien@Hostabulous, 10-23-2013, 06:00 PM
Yeah would like to know about OWASP rules also. We are running on Atomic paid rules atm.

Posted by Infinitnet, 10-23-2013, 06:03 PM
The OWASP rules are less extensive and I had way more false positives with them. I rather recommend to continue using the delayed ones, even if they're discontinued, and eventually switch to the paid ASL ruleset. That's why I said only to protect mediocre sensitive information. And besides not every exploits needs a specific rule - there are a lot of generic rules/patterns, which can block all kinds of MySQL injections for instance. For example the delayed rules blocked every single one of the latest WHMCS exploits and therefore your statement isn't completely correct. Last edited by Infinitnet; 10-23-2013 at 06:10 PM.

Posted by benj114, 10-23-2013, 09:30 PM
Good thing I subscribed to the daily rules from ASL last week! Never really had any issues with the delayed rules, just figured id play it safe and get the daily's for the "oh my they did what" moments. Small price to pay for another added layer of peace of mind!

Posted by SPaReK, 10-23-2013, 09:55 PM
This is unfortunate. I wonder what someone with a lot of servers is suppose to do. Say you have 100 servers, that's $1495/mo extra expense for those servers. Wondering if there is another entity that will come out and provide a free or considerably less expensive option.

Posted by brianoz, 10-24-2013, 02:36 AM
If you have that many servers, I'd be talking to them about a discount; surely they can manage something... If this comes with a drop in the pricing of the paid rules, I'd understand it. (Personally I subscribe to the paid rules, think it's worth, but then I don't have 100 servers!)

Posted by ursa-musculus, 10-24-2013, 02:54 AM
The announcement I linked to (see post #4 above) says

Posted by sh33pz, 10-24-2013, 08:08 AM
Only issue I have with AtomiCorp, is the sign up process. Their password requirements isn't secure... Not allowed to have any special characters in the password field... Sure, it has to be 10 chars long. But really? No special characters! Disappointed with that.

Posted by Patrick, 10-24-2013, 08:18 AM
I see you're in Canada. One of my bank accounts, with TD, used to have a maximum of 8 characters and only allowed letters and numbers in the password. I kid you not. Hopefully that has changed, but this was only a year or two ago.

Posted by sh33pz, 10-24-2013, 08:27 AM
Yes. There is another bank here, that has poor password requirements CIBC. Only comfort I have with them is, when you login from another device or a location that you haven't logged in before. They ask you, one of your secret questions. But still, every one should be allowing special questions and a very very long passwords. Of course, two factor auth be nice as well. Living a dream I guess haha

Posted by bdwebservices, 10-24-2013, 08:54 AM
We will become more Vulnerable

Posted by Patrick, 10-24-2013, 09:13 AM
Not necessarily. A lot of the older (delayed) rules contain plenty of generic protection for most vulnerabilities - especially SQLi and LFI/RFI type attacks. Like 90% of the Atomic rules were application specific for all kinds of random stuff that most people don't even use.

Posted by bdwebservices, 10-24-2013, 09:22 AM
I think cPanel Inc. can make a partnership with AtomiCorp; and cPanel Inc can charge extra ($1/$2) for this and this is WIN/WIN situation.

Posted by ursa-musculus, 10-24-2013, 09:24 AM
Really? If cPanel charged an extra $1 for Atomicorp's live ruleset, they'd pass on some of that (retaining a profit / brokerage fee) first. So Atomicorp get $0.50 because someone subscribed, instead of the $15 they charge directly. It's not going to happen.

Posted by teck, 10-24-2013, 03:12 PM
Can't you technically pay for the rules for 1 server, then copy over the conf's to the other server (or even shared with others)? I don't condone this but it sounds possible for those who are balking at the sunsetting of the free rules.

Posted by Infinitnet, 10-24-2013, 03:15 PM
Thanks for backing up what I said earlier in this thread. Some people don't seem to be aware of that. Yes, you could do that in theory, although I'm unsure if AtomiCorp would be happy about it. Last edited by Infinitnet; 10-24-2013 at 03:18 PM.

Posted by Patrick, 10-24-2013, 08:26 PM
It wouldn't be WHT if it weren't for people skipping over important points in a thread.

Posted by sannin, 10-28-2013, 05:24 PM
Hello, Does anyone have the latest modsec rules zip file? It will be useful until i decide about an alternative.

Posted by ursa-musculus, 10-28-2013, 05:52 PM
Did the license to download the free (delayed) rules include permission to mirror / redistribute them, or did others who want them have to obtain them directly from AtomiCorp?

Posted by FLDataTeK, 10-28-2013, 06:14 PM
I looked all over the site and could not find anything... Then I looked in the file... # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. So I took the file down.

Posted by Jesse Mahoney, 10-28-2013, 11:10 PM
It's a shame as we referred a lot of our VPS clients to these rules; the free ruleset provided a good opportunity for them to test those our before shelling out for the paid rulesets.

Posted by EvolutionCrazy, 10-29-2013, 04:55 AM
at this point it's cheaper to go with paid cloudflare plans if you have just a few big domains

Posted by gPowerHost, 10-29-2013, 01:12 PM
It is only prices $99.99 per year if you pay for 12 months. So $8.33 per mo. if paid in advance. If you have anything of value, any shopping cart (WHMCS, JeJe), etc. it is worth it as the delayed rules would not have saved you of late. I will say it is a bit of a feat to setup the rules to automatically download and update, as atomic provides zero support for that. Repeat, zero. They really like to sell ASL. But with tinkering you can do it. That is one of the drawbacks of VPS, which is pushed so heavily as a next step after shared. VPS is not a budget option, really. There is nearly as much work in managing a VPS, properly, as the is in a dedicated shared server. Folks should really understand the inefficiencies of VPS, and the prices. If you can't afford to manage and install all of the security measures, go back to shared, where you belong I frankly was always surprised that Atomic ever gave away the rules. They are not very good at sales, IMO, and unless they are able to convert a significantly large enough number of those free clients to a paid product they would be losing out. As it is, it seems there is a base of users that can't afford to pay $8.33 per month, so it seems an industry problem. Driving down the price of shared, VPS, offering wild unlimited plans, and forgetting to really inform users of the hidden prices, both in administration labor and for tools, is reaping its toll here. When you add it up, VPS is not a very good thing. To secure a boatload of users on a shared server you might spend $200 per year and a few hours a day on top of that. VPS, same cost and no way you are going to spend much time there, reading logs, etc. One possible way--read the TOS, I'm not advocating cheating--is to try out the paid ruleset for 30 days, maybe the TOS allows you to keep the existing rules on your server if you decide not to go with it. But really, if it is that unimportant, then why are you on a VPS (not directed at anyone). My 2-cents! Last edited by gPowerHost; 10-29-2013 at 01:16 PM. Reason: spelling



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
VPS easy to manage (Views: 651)