[Owasp-modsecurity-core-rule-set] exec: script for specific directory

hans mayer mod.sec at ma.yer.at
Sat Jul 21 20:48:15 UTC 2018



Hi Manuel,

Many thanks for your reply.

I played around with a rule like this
SecRule HIGHEST_SEVERITY "@le 90" "...."
but this never triggered.
With a SecAction rule I have seen HIGHEST_SEVERITY is always 255.
This means it is uninitialized.
Based on the wiki at github values can be between 0 and 7
But not for me. And maybe HIGHEST_SEVERITY is not that what 
documentation says about severity.

I also tried the following rule
SecAction 
"id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
In my script I see tx.anomaly_score is empty for a normal browser query 
but set to 0 if it is an attack.
This I could use to trigger a script in case of an attack.

But I don't want that this shell script is executed each time someone is 
visting this URL.
So I tried a rule
SecRule tx.anomaly_score "@ge 0" 
id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
But in this case Apache does not start, it terminates with
Error creating rule: Unknown variable: tx.anomaly_score

I tried to understand your e-mail. But obviously I do not.
Could you give me some detailed explanation how-to configure a rule that 
triggers a script if another rules detects previously an attack ?


Kind regards
Hans








On 21.07.18, 01:05, spartantri at gmail.com wrote:
> Hi Hans, you can do a secrule in phase 5 that checks for the anomaly 
> score higher than the threshold
>
> Cheers
>
> Sent from mobile
>
> El 20 jul 2018, a las 15:32, hans mayer <mod.sec at ma.yer.at 
> <mailto:mod.sec at ma.yer.at>> escribió:
>
>>
>>
>> Hi Manuel,
>>
>> Sorry, obviously I didn't explain well enough what I want to do.
>> I do not want to run a script every time a block ( = certain 
>> directory structure or URL )
>> is read by a client.
>> A script should only be triggered if one of these core rules from CRS
>> found an attack and is blocking.
>> Only in this situation a script should run for this specific URL.
>> I hope this describes a little bit better.
>> I tried different possibilities, for example with SecRule 
>> HIGHEST_SEVERITY,
>> but all of them without success.
>>
>>
>> // Hans
>>
>>
>> On 19.07.18, 23:46, Manuel Spartan wrote:
>>> Hi Hans,
>>>
>>> it may not be the best idea to execute external scripts every time 
>>> you hit a block, it can easily result in a DOS situation, external 
>>> scripts take longer to execute resulting in longer processing times, 
>>> SecDefaultAction inside a directory must override the inherited 
>>> SecDefaultAction in higher context but that would depend on your 
>>> rules and apache configuration.
>>>
>>> Alternatively you may add a SecRule in phase 2 to check whatever 
>>> condition you are targetting and use ctl:SkipAfter to jump the 
>>> SecAction in phase 2. See how the paranoia markers and actions work 
>>> as they use the same concept.
>>>
>>> Cheers!
>>>
>>> 2018-07-19 15:11 GMT-05:00 hans mayer <mod.sec at ma.yer.at 
>>> <mailto:mod.sec at ma.yer.at>>:
>>>
>>>
>>>     Dear All,
>>>
>>>     My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
>>>
>>>     I want to achieve whenever any security rule is triggered a
>>>     script should be executed for a specific directory.
>>>
>>>     In the global Apache security module settings I have this line:
>>>
>>>     SecDefaultAction "phase:2,deny,log,status:406"
>>>
>>>     which does it's job very well
>>>
>>>     So my idea was I define a similar line for this specific
>>>     directory. In my apache http.conf I have:
>>>
>>>     <Directory  "/some/directory/path">
>>>          SecDefaultAction
>>>     "phase:2,deny,log,status:406,exec:/path/to/script"
>>>     </Directory>
>>>
>>>     But obviously it doesn't work. The originally SecDefaultAction
>>>     is maybe executed first and not over ruled.
>>>     /path/to/script is never executed.
>>>     But an attack is successfully blocked.
>>>
>>>     To verify if this script is generally working I modified this
>>>     line to:
>>>
>>>     SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
>>>     everything',exec:///path/to/script"
>>>
>>>     And this works fine. My script is executed. But it triggers each
>>>     time a browser is going to "/some/directory/path" on this
>>>     server. Even if it's doing legal things.
>>>
>>>     Any idea how I could solve my problem ? Any help is appreciated.
>>>
>>>     I know version 3 is out with a lot of bugfixes. But currently I
>>>     don't want to upgrade.
>>>
>>>     Kind regards
>>>     Hans
>>>
>>>     -- 
>>>
>>>
>>>     _______________________________________________
>>>     Owasp-modsecurity-core-rule-set mailing list
>>>     Owasp-modsecurity-core-rule-set at lists.owasp.org
>>>     <mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>>     <https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
>>>
>>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20180721/7d34efd0/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list