Hi, *Sending alert emails*
As an example, suppose that we wanted to execute a script to email us an alert message whenever an attempted SQL injection exploit was detected. To do this, we need two things: 1. A script file that has the ability to email an alert to a specified email address. 2. A rule that will invoke the email script when a rule match is detected. For the script, we will use a standard shell script that invokes /bin/sh, though we could have easily used Perl or any other scripting language. We will email the alert to u...@example.com. Create a file named email.sh in the directory /usr/local/bin and type the following in it: #!/bin/sh echo "An SQL injection attempt was blocked" | mail –s "ModSecurity Alert" u...@example.com echo Done. The script invokes the mail binary to send an email with the subject *ModSecurity Alert *to u...@example.com. The last line of the script writes the string *Done. *to stdout. This is so that ModSecurity will recognize that the script has executed successfully. We now have to make the script executable so that it can be invoked when a rule matches: $ chmod a+rx /usr/local/bin/email.sh Now all that is left is to create a rule that will trigger the alert script: SecRule ARGS "drop table" "deny,exec:/usr/local/bin/email.sh" You can now test out this rule by attempting to access http://yourserver/?test=drop%20table. If you've substituted your own email address in the example above you should get an email telling you that an SQL injection attempt has just been blocked. Receiving such an email can be useful to quickly be alerted of any ongoing attacks. However, what if we wanted the email to contain a little more information on the attempted exploit; would that be possible? Yes, it's not only possible, it's also a very good idea, since more information about an alert can allow us to decide whether it is something to investigate more in-depth (such as when we detect that it's not just an automated vulnerability scanner pounding away at our server but actually a hacker probing for weaknesses with manually crafted exploit URLs). *Sending more detailed alert emails* ModSecurity allows us to set environment variables via the setenv action. By populating environment variables with suitable data we can record more information about the request that was blocked. Suppose we would like to gather the following data when an attempted SQL injection is detected: The hostname of the server where the alert occurred The remote user's IP address and hostname The full request URI The values of all arguments, whether they were sent using the GET or POST method The unique ID for the request, so we can find this alert in the log files We will place this information in six separate environment variables, which we will call HOSTNAME, REMOTEIP, REMOTEHOST, REQUESTURI, ARGS, and UNIQUEID. Our modified rule now looks like this: SecRule ARGS "drop table" "deny,t:lowercase, setenv:HOSTNAME=%{SERVER_NAME}, setenv:REMOTEIP=%{REMOTE_ADDR}, setenv:REQUESTURI=%{REQUEST_URI}, setenv:ARGS=%{ARGS}, setenv:UNIQUEID={%UNIQUE_ID}, exec:/usr/local/bin/email.sh" Now all we have to do is modify the email script so that it places the environment variables in the email body: #!/bin/sh echo " An SQL injection attempt was blocked: Server: $HOSTNAME Attacking IP: $REMOTEIP Attacking host: $REMOTEHOST Request URI: $REQUESTURI Arguments: $ARGS Unique ID: $UNIQUEID Time: `date '+%D %H:%M'` " | mail –s 'ModSecurity Alert' u...@example.com Echo Done. As you can see, we use a multi-line echo statement to get all the information nicely formatted. Since this is a shell script, it will replace $HOSTNAME and the other environment variables with the value we set the variables to in our ModSecurity rule. The last line of the echo statement also adds a timestamp with today's date and the current time by invoking the date command and placing backticks (`) around it, which causes the shell to execute the command and substitute the command's output for it. Finally, the data is piped into the mail binary, which sends an email with the subject line *ModSecurity Alert *to the specified email address. Again, at the end of the script we make sure to echo a dummy text to stdout to make ModSecurity happy. If you test this script you should get a nicely formatted email with all of the attacker's details. From: ModSecurity 2.5 Securing your Apache installation and web applications 2016-03-18 12:00 GMT+00:00 < owasp-modsecurity-core-rule-set-requ...@lists.owasp.org>: > Send Owasp-modsecurity-core-rule-set mailing list submissions to > owasp-modsecurity-core-rule-set@lists.owasp.org > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > or, via email, send a message with subject or body 'help' to > owasp-modsecurity-core-rule-set-requ...@lists.owasp.org > > You can reach the person managing the list at > owasp-modsecurity-core-rule-set-ow...@lists.owasp.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Owasp-modsecurity-core-rule-set digest..." > > > Today's Topics: > > 1. Mail notification for all rules (Leonardo Oliveira Ortiz) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 17 Mar 2016 14:48:13 +0000 > From: Leonardo Oliveira Ortiz <leonardo.or...@marisolsa.com> > To: "Owasp-modsecurity-core-rule-set@lists.owasp.org" > <Owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: [Owasp-modsecurity-core-rule-set] Mail notification for all > rules > Message-ID: <59E8C16E83D82B439E20698AAC790B5F0143EE2939@ma46> > Content-Type: text/plain; charset="us-ascii" > > Hello guys. > > How can I configure modsecurity to send na e-mail when match some rule? > I want something "global", for all rules. > > Thks. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160317/e0915ac2/attachment-0001.html > > > > ------------------------------ > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > End of Owasp-modsecurity-core-rule-set Digest, Vol 83, Issue 23 > *************************************************************** >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set