[Owasp-modsecurity-core-rule-set] exec: script for specific directory

hans mayer mod.sec at ma.yer.at
Fri Jul 20 20:32:36 UTC 2018

Hi Manuel,

Sorry, obviously I didn't explain well enough what I want to do.
I do not want to run a script every time a block ( = certain directory 
structure or URL )
is read by a client.
A script should only be triggered if one of these core rules from CRS
found an attack and is blocking.
Only in this situation a script should run for this specific URL.
I hope this describes a little bit better.
I tried different possibilities, for example with SecRule HIGHEST_SEVERITY,
but all of them without success.

// Hans

On 19.07.18, 23:46, Manuel Spartan wrote:
> Hi Hans,
> it may not be the best idea to execute external scripts every time you 
> hit a block, it can easily result in a DOS situation, external scripts 
> take longer to execute resulting in longer processing times, 
> SecDefaultAction inside a directory must override the inherited 
> SecDefaultAction in higher context but that would depend on your rules 
> and apache configuration.
> Alternatively you may add a SecRule in phase 2 to check whatever 
> condition you are targetting and use ctl:SkipAfter to jump the 
> SecAction in phase 2. See how the paranoia markers and actions work as 
> they use the same concept.
> Cheers!
> 2018-07-19 15:11 GMT-05:00 hans mayer <mod.sec at ma.yer.at 
> <mailto:mod.sec at ma.yer.at>>:
>     Dear All,
>     My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
>     I want to achieve whenever any security rule is triggered a script
>     should be executed for a specific directory.
>     In the global Apache security module settings I have this line:
>     SecDefaultAction "phase:2,deny,log,status:406"
>     which does it's job very well
>     So my idea was I define a similar line for this specific
>     directory. In my apache http.conf I have:
>     <Directory  "/some/directory/path">
>          SecDefaultAction
>     "phase:2,deny,log,status:406,exec:/path/to/script"
>     </Directory>
>     But obviously it doesn't work. The originally SecDefaultAction is
>     maybe executed first and not over ruled.
>     /path/to/script is never executed.
>     But an attack is successfully blocked.
>     To verify if this script is generally working I modified this line to:
>     SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
>     everything',exec:///path/to/script"
>     And this works fine. My script is executed. But it triggers each
>     time a browser is going to "/some/directory/path" on this server.
>     Even if it's doing legal things.
>     Any idea how I could solve my problem ? Any help is appreciated.
>     I know version 3 is out with a lot of bugfixes. But currently I
>     don't want to upgrade.
>     Kind regards
>     Hans
>     -- 
>     _______________________________________________
>     Owasp-modsecurity-core-rule-set mailing list
>     Owasp-modsecurity-core-rule-set at lists.owasp.org
>     <mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>     <https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20180720/514a8fce/attachment.html>

More information about the Owasp-modsecurity-core-rule-set mailing list