[Owasp-modsecurity-core-rule-set] exec: script for specific directory
mod.sec at ma.yer.at
Sat Jul 21 20:48:15 UTC 2018
Many thanks for your reply.
I played around with a rule like this
SecRule HIGHEST_SEVERITY "@le 90" "...."
but this never triggered.
With a SecAction rule I have seen HIGHEST_SEVERITY is always 255.
This means it is uninitialized.
Based on the wiki at github values can be between 0 and 7
But not for me. And maybe HIGHEST_SEVERITY is not that what
documentation says about severity.
I also tried the following rule
In my script I see tx.anomaly_score is empty for a normal browser query
but set to 0 if it is an attack.
This I could use to trigger a script in case of an attack.
But I don't want that this shell script is executed each time someone is
visting this URL.
So I tried a rule
SecRule tx.anomaly_score "@ge 0"
But in this case Apache does not start, it terminates with
Error creating rule: Unknown variable: tx.anomaly_score
I tried to understand your e-mail. But obviously I do not.
Could you give me some detailed explanation how-to configure a rule that
triggers a script if another rules detects previously an attack ?
On 21.07.18, 01:05, spartantri at gmail.com wrote:
> Hi Hans, you can do a secrule in phase 5 that checks for the anomaly
> score higher than the threshold
> Sent from mobile
> El 20 jul 2018, a las 15:32, hans mayer <mod.sec at ma.yer.at
> <mailto:mod.sec at ma.yer.at>> escribió:
>> Hi Manuel,
>> Sorry, obviously I didn't explain well enough what I want to do.
>> I do not want to run a script every time a block ( = certain
>> directory structure or URL )
>> is read by a client.
>> A script should only be triggered if one of these core rules from CRS
>> found an attack and is blocking.
>> Only in this situation a script should run for this specific URL.
>> I hope this describes a little bit better.
>> I tried different possibilities, for example with SecRule
>> but all of them without success.
>> // Hans
>> On 19.07.18, 23:46, Manuel Spartan wrote:
>>> Hi Hans,
>>> it may not be the best idea to execute external scripts every time
>>> you hit a block, it can easily result in a DOS situation, external
>>> scripts take longer to execute resulting in longer processing times,
>>> SecDefaultAction inside a directory must override the inherited
>>> SecDefaultAction in higher context but that would depend on your
>>> rules and apache configuration.
>>> Alternatively you may add a SecRule in phase 2 to check whatever
>>> condition you are targetting and use ctl:SkipAfter to jump the
>>> SecAction in phase 2. See how the paranoia markers and actions work
>>> as they use the same concept.
>>> 2018-07-19 15:11 GMT-05:00 hans mayer <mod.sec at ma.yer.at
>>> <mailto:mod.sec at ma.yer.at>>:
>>> Dear All,
>>> My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
>>> I want to achieve whenever any security rule is triggered a
>>> script should be executed for a specific directory.
>>> In the global Apache security module settings I have this line:
>>> SecDefaultAction "phase:2,deny,log,status:406"
>>> which does it's job very well
>>> So my idea was I define a similar line for this specific
>>> directory. In my apache http.conf I have:
>>> <Directory "/some/directory/path">
>>> But obviously it doesn't work. The originally SecDefaultAction
>>> is maybe executed first and not over ruled.
>>> /path/to/script is never executed.
>>> But an attack is successfully blocked.
>>> To verify if this script is generally working I modified this
>>> line to:
>>> SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
>>> And this works fine. My script is executed. But it triggers each
>>> time a browser is going to "/some/directory/path" on this
>>> server. Even if it's doing legal things.
>>> Any idea how I could solve my problem ? Any help is appreciated.
>>> I know version 3 is out with a lot of bugfixes. But currently I
>>> don't want to upgrade.
>>> Kind regards
>>> Owasp-modsecurity-core-rule-set mailing list
>>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>>> <mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set