[Owasp-modsecurity-core-rule-set] exec: script for specific directory

spartantri at gmail.com spartantri at gmail.com
Fri Jul 20 23:05:39 UTC 2018


Hi Hans, you can do a secrule in phase 5 that checks for the anomaly score higher than the threshold

Cheers

Sent from mobile

> El 20 jul 2018, a las 15:32, hans mayer <mod.sec at ma.yer.at> escribió:
> 
> 
> 
> Hi Manuel, 
> 
> Sorry, obviously I didn't explain well enough what I want to do. 
> I do not want to run a script every time a block ( = certain directory structure or URL ) 
> is read by a client. 
> A script should only be triggered if one of these core rules from CRS 
> found an attack and is blocking. 
> Only in this situation a script should run for this specific URL.
> I hope this describes a little bit better. 
> I tried different possibilities, for example with SecRule HIGHEST_SEVERITY,
> but all of them without success. 
> 
> 
> // Hans 
> 
> 
>> On 19.07.18, 23:46, Manuel Spartan wrote:
>> Hi Hans, 
>> 
>> it may not be the best idea to execute external scripts every time you hit a block, it can easily result in a DOS situation, external scripts take longer to execute resulting in longer processing times, SecDefaultAction inside a directory must override the inherited SecDefaultAction in higher context but that would depend on your rules and apache configuration.
>> 
>> Alternatively you may add a SecRule in phase 2 to check whatever condition you are targetting and use ctl:SkipAfter to jump the SecAction in phase 2. See how the paranoia markers and actions work as they use the same concept.
>> 
>> Cheers! 
>> 
>> 2018-07-19 15:11 GMT-05:00 hans mayer <mod.sec at ma.yer.at>:
>>> 
>>> Dear All,
>>> 
>>> My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
>>> 
>>> I want to achieve whenever any security rule is triggered a script should be executed for a specific directory.
>>> 
>>> In the global Apache security module settings I have this line:
>>> 
>>> SecDefaultAction "phase:2,deny,log,status:406"
>>> 
>>> which does it's job very well
>>> 
>>> So my idea was I define a similar line for this specific directory. In my apache http.conf I have:
>>> 
>>> <Directory  "/some/directory/path">
>>>      SecDefaultAction "phase:2,deny,log,status:406,exec:/path/to/script"
>>> </Directory>
>>> 
>>> But obviously it doesn't work. The originally SecDefaultAction is maybe executed first and not over ruled.
>>> /path/to/script is never executed.
>>> But an attack is successfully blocked.
>>> 
>>> To verify if this script is generally working I modified this line to:
>>> 
>>> SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log everything',exec:///path/to/script"
>>> 
>>> And this works fine. My script is executed. But it triggers each time a browser is going to "/some/directory/path" on this server. Even if it's doing legal things.
>>> 
>>> Any idea how I could solve my problem ? Any help is appreciated.
>>> 
>>> I know version 3 is out with a lot of bugfixes. But currently I don't want to upgrade.
>>> 
>>> Kind regards
>>> Hans
>>> 
>>> -- 
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-modsecurity-core-rule-set mailing list
>>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20180720/10964234/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list