[Owasp-modsecurity-core-rule-set] Owasp-modsecurity-core-rule-set Digest, Vol 83, Issue 23

Ilyass Kaouam ilyassikai at gmail.com
Fri Mar 18 12:21:27 UTC 2016


*Sending alert emails*

As an example, suppose that we wanted to execute a script to email us an
alert message whenever an attempted SQL injection exploit was detected. To
do this, we need two things:

1. A script file that has the ability to email an alert to a specified
email address.

2. A rule that will invoke the email script when a rule match is detected.

For the script, we will use a standard shell script that invokes /bin/sh,
though we could have easily used Perl or any other scripting language. We
will email the alert to user at example.com.

Create a file named email.sh in the directory /usr/local/bin and type the
following in it:


echo "An SQL injection attempt was blocked" | mail –s "ModSecurity Alert"
user at example.com

echo Done.

The script invokes the mail binary to send an email with the subject
Alert *to user at example.com. The last line of the script writes the
string *Done.
*to stdout. This is so that ModSecurity will recognize that the script has
executed successfully.

We now have to make the script executable so that it can be invoked when a
rule matches:

$ chmod a+rx /usr/local/bin/email.sh

Now all that is left is to create a rule that will trigger the alert script:

SecRule ARGS "drop table" "deny,exec:/usr/local/bin/email.sh"

You can now test out this rule by attempting to access
http://yourserver/?test=drop%20table. If you've substituted your own email
address in the example above you should get an email telling you that an
SQL injection attempt has just been blocked.

Receiving such an email can be useful to quickly be alerted of any ongoing
attacks. However, what if we wanted the email to contain a little more
information on the attempted exploit; would that be possible? Yes, it's not
only possible, it's also a very good idea, since more information about an
alert can allow us to decide whether it is something to investigate more
in-depth (such as when we detect that it's not just an automated
vulnerability scanner pounding away at our server but actually a hacker
probing for weaknesses with manually crafted exploit URLs).

*Sending more detailed alert emails*

ModSecurity allows us to set environment variables via the setenv action.
By populating environment variables with suitable data we can record more
information about the request that was blocked.

Suppose we would like to gather the following data when an attempted SQL
injection is detected:

The hostname of the server where the alert occurred

The remote user's IP address and hostname

The full request URI

The values of all arguments, whether they were sent using the GET or POST

The unique ID for the request, so we can find this alert in the log files

We will place this information in six separate environment variables, which
Our modified rule now looks like this:

SecRule ARGS "drop table" "deny,t:lowercase,  setenv:HOSTNAME=%{SERVER_NAME},
 setenv:ARGS=%{ARGS},
 setenv:UNIQUEID={%UNIQUE_ID},  exec:/usr/local/bin/email.sh"

Now all we have to do is modify the email script so that it places the
environment variables in the email body:


echo "

An SQL injection attempt was blocked:


Attacking IP: $REMOTEIP

Attacking host: $REMOTEHOST


Arguments: $ARGS


Time: `date '+%D %H:%M'`

" | mail –s 'ModSecurity Alert' user at example.com

Echo Done.

As you can see, we use a multi-line echo statement to get all the
information nicely formatted. Since this is a shell script, it will
replace $HOSTNAME
and the other environment variables with the value we set the variables to
in our ModSecurity rule. The last line of the echo statement also adds a
timestamp with today's date and the current time by invoking the date command
and placing backticks (`) around it, which causes the shell to execute the
command and substitute the command's output for it. Finally, the data is
piped into the mail binary, which sends an email with the subject line
Alert *to the specified email address.

Again, at the end of the script we make sure to echo a dummy text to stdout to
make ModSecurity happy. If you test this script you should get a nicely
formatted email with all of the attacker's details.

From: ModSecurity 2.5 Securing your Apache installation and web applications

2016-03-18 12:00 GMT+00:00 <
owasp-modsecurity-core-rule-set-request at lists.owasp.org>:

> Send Owasp-modsecurity-core-rule-set mailing list submissions to
>         owasp-modsecurity-core-rule-set at lists.owasp.org
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> or, via email, send a message with subject or body 'help' to
>         owasp-modsecurity-core-rule-set-request at lists.owasp.org
> You can reach the person managing the list at
>         owasp-modsecurity-core-rule-set-owner at lists.owasp.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-modsecurity-core-rule-set digest..."
> Today's Topics:
>    1. Mail notification for all rules (Leonardo Oliveira Ortiz)
> ----------------------------------------------------------------------
> Message: 1
> Date: Thu, 17 Mar 2016 14:48:13 +0000
> From: Leonardo Oliveira Ortiz <leonardo.ortiz at marisolsa.com>
> To: "Owasp-modsecurity-core-rule-set at lists.owasp.org"
>         <Owasp-modsecurity-core-rule-set at lists.owasp.org>
> Subject: [Owasp-modsecurity-core-rule-set] Mail notification for all
>         rules
> Message-ID: <59E8C16E83D82B439E20698AAC790B5F0143EE2939 at ma46>
> Content-Type: text/plain; charset="us-ascii"
> Hello guys.
> How can I configure modsecurity to send na e-mail when match some rule?
> I want something "global", for all rules.
> Thks.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160317/e0915ac2/attachment-0001.html
> >
> ------------------------------
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> End of Owasp-modsecurity-core-rule-set Digest, Vol 83, Issue 23
> ***************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160318/bf5f50f7/attachment.html>

More information about the Owasp-modsecurity-core-rule-set mailing list