[Owasp-modsecurity-core-rule-set] exec: script for specific directory
mod.sec at ma.yer.at
Fri Jul 20 20:32:36 UTC 2018
Sorry, obviously I didn't explain well enough what I want to do.
I do not want to run a script every time a block ( = certain directory
structure or URL )
is read by a client.
A script should only be triggered if one of these core rules from CRS
found an attack and is blocking.
Only in this situation a script should run for this specific URL.
I hope this describes a little bit better.
I tried different possibilities, for example with SecRule HIGHEST_SEVERITY,
but all of them without success.
On 19.07.18, 23:46, Manuel Spartan wrote:
> Hi Hans,
> it may not be the best idea to execute external scripts every time you
> hit a block, it can easily result in a DOS situation, external scripts
> take longer to execute resulting in longer processing times,
> SecDefaultAction inside a directory must override the inherited
> SecDefaultAction in higher context but that would depend on your rules
> and apache configuration.
> Alternatively you may add a SecRule in phase 2 to check whatever
> condition you are targetting and use ctl:SkipAfter to jump the
> SecAction in phase 2. See how the paranoia markers and actions work as
> they use the same concept.
> 2018-07-19 15:11 GMT-05:00 hans mayer <mod.sec at ma.yer.at
> <mailto:mod.sec at ma.yer.at>>:
> Dear All,
> My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
> I want to achieve whenever any security rule is triggered a script
> should be executed for a specific directory.
> In the global Apache security module settings I have this line:
> SecDefaultAction "phase:2,deny,log,status:406"
> which does it's job very well
> So my idea was I define a similar line for this specific
> directory. In my apache http.conf I have:
> <Directory "/some/directory/path">
> But obviously it doesn't work. The originally SecDefaultAction is
> maybe executed first and not over ruled.
> /path/to/script is never executed.
> But an attack is successfully blocked.
> To verify if this script is generally working I modified this line to:
> SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
> And this works fine. My script is executed. But it triggers each
> time a browser is going to "/some/directory/path" on this server.
> Even if it's doing legal things.
> Any idea how I could solve my problem ? Any help is appreciated.
> I know version 3 is out with a lot of bugfixes. But currently I
> don't want to upgrade.
> Kind regards
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> <mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set