[Owasp-modsecurity-core-rule-set] exec: script for specific directory

hans mayer mod.sec at ma.yer.at
Sun Jul 22 15:35:55 UTC 2018


It says:
Engine Mode  modsecurity 2.7+ only
Producer Rule Set    ModSecurity for Apache/2.8.0 
(http://www.modsecurity.org/).

rule set seem to be
Core ModSecurity Rule Set ver.2.2.9


// Hans



On 22.07.18, 02:17, spartantri at gmail.com wrote:
> What modsec and CRS versions are you using?
>
> Sent from mobile
>
> El 21 jul 2018, a las 15:48, hans mayer <mod.sec at ma.yer.at 
> <mailto:mod.sec at ma.yer.at>> escribió:
>
>>
>>
>> Hi Manuel,
>>
>> Many thanks for your reply.
>>
>> I played around with a rule like this
>> SecRule HIGHEST_SEVERITY "@le 90" "...."
>> but this never triggered.
>> With a SecAction rule I have seen HIGHEST_SEVERITY is always 255.
>> This means it is uninitialized.
>> Based on the wiki at github values can be between 0 and 7
>> But not for me. And maybe HIGHEST_SEVERITY is not that what 
>> documentation says about severity.
>>
>> I also tried the following rule
>> SecAction 
>> "id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
>> In my script I see tx.anomaly_score is empty for a normal browser 
>> query but set to 0 if it is an attack.
>> This I could use to trigger a script in case of an attack.
>>
>> But I don't want that this shell script is executed each time someone 
>> is visting this URL.
>> So I tried a rule
>> SecRule tx.anomaly_score "@ge 0" 
>> id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
>> But in this case Apache does not start, it terminates with
>> Error creating rule: Unknown variable: tx.anomaly_score
>>
>> I tried to understand your e-mail. But obviously I do not.
>> Could you give me some detailed explanation how-to configure a rule 
>> that triggers a script if another rules detects previously an attack ?
>>
>>
>> Kind regards
>> Hans
>>
>>
>>
>>
>>
>>
>>
>>
>> On 21.07.18, 01:05, spartantri at gmail.com wrote:
>>> Hi Hans, you can do a secrule in phase 5 that checks for the anomaly 
>>> score higher than the threshold
>>>
>>> Cheers
>>>
>>> Sent from mobile
>>>
>>> El 20 jul 2018, a las 15:32, hans mayer <mod.sec at ma.yer.at 
>>> <mailto:mod.sec at ma.yer.at>> escribió:
>>>
>>>>
>>>>
>>>> Hi Manuel,
>>>>
>>>> Sorry, obviously I didn't explain well enough what I want to do.
>>>> I do not want to run a script every time a block ( = certain 
>>>> directory structure or URL )
>>>> is read by a client.
>>>> A script should only be triggered if one of these core rules from CRS
>>>> found an attack and is blocking.
>>>> Only in this situation a script should run for this specific URL.
>>>> I hope this describes a little bit better.
>>>> I tried different possibilities, for example with SecRule 
>>>> HIGHEST_SEVERITY,
>>>> but all of them without success.
>>>>
>>>>
>>>> // Hans
>>>>
>>>>
>>>> On 19.07.18, 23:46, Manuel Spartan wrote:
>>>>> Hi Hans,
>>>>>
>>>>> it may not be the best idea to execute external scripts every time 
>>>>> you hit a block, it can easily result in a DOS situation, external 
>>>>> scripts take longer to execute resulting in longer processing 
>>>>> times, SecDefaultAction inside a directory must override the 
>>>>> inherited SecDefaultAction in higher context but that would depend 
>>>>> on your rules and apache configuration.
>>>>>
>>>>> Alternatively you may add a SecRule in phase 2 to check whatever 
>>>>> condition you are targetting and use ctl:SkipAfter to jump the 
>>>>> SecAction in phase 2. See how the paranoia markers and actions 
>>>>> work as they use the same concept.
>>>>>
>>>>> Cheers!
>>>>>
>>>>> 2018-07-19 15:11 GMT-05:00 hans mayer <mod.sec at ma.yer.at 
>>>>> <mailto:mod.sec at ma.yer.at>>:
>>>>>
>>>>>
>>>>>     Dear All,
>>>>>
>>>>>     My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
>>>>>
>>>>>     I want to achieve whenever any security rule is triggered a
>>>>>     script should be executed for a specific directory.
>>>>>
>>>>>     In the global Apache security module settings I have this line:
>>>>>
>>>>>     SecDefaultAction "phase:2,deny,log,status:406"
>>>>>
>>>>>     which does it's job very well
>>>>>
>>>>>     So my idea was I define a similar line for this specific
>>>>>     directory. In my apache http.conf I have:
>>>>>
>>>>>     <Directory  "/some/directory/path">
>>>>>          SecDefaultAction
>>>>>     "phase:2,deny,log,status:406,exec:/path/to/script"
>>>>>     </Directory>
>>>>>
>>>>>     But obviously it doesn't work. The originally SecDefaultAction
>>>>>     is maybe executed first and not over ruled.
>>>>>     /path/to/script is never executed.
>>>>>     But an attack is successfully blocked.
>>>>>
>>>>>     To verify if this script is generally working I modified this
>>>>>     line to:
>>>>>
>>>>>     SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
>>>>>     everything',exec:///path/to/script"
>>>>>
>>>>>     And this works fine. My script is executed. But it triggers
>>>>>     each time a browser is going to "/some/directory/path" on this
>>>>>     server. Even if it's doing legal things.
>>>>>
>>>>>     Any idea how I could solve my problem ? Any help is appreciated.
>>>>>
>>>>>     I know version 3 is out with a lot of bugfixes. But currently
>>>>>     I don't want to upgrade.
>>>>>
>>>>>     Kind regards
>>>>>     Hans
>>>>>
>>>>>     -- 
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     Owasp-modsecurity-core-rule-set mailing list
>>>>>     Owasp-modsecurity-core-rule-set at lists.owasp.org
>>>>>     <mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>>>>     <https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
>>>>>
>>>>>
>>>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20180722/f46062db/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list