It says:
Engine Mode modsecurity 2.7+ only
Producer Rule Set ModSecurity for Apache/2.8.0
(http://www.modsecurity.org/).
rule set seem to be
Core ModSecurity Rule Set ver.2.2.9
// Hans
On 22.07.18, 02:17, spartan...@gmail.com wrote:
What modsec and CRS versions are you using?
Sent from mobile
El 21 jul 2018, a las 15:48, hans mayer <mod....@ma.yer.at
<mailto:mod....@ma.yer.at>> escribió:
Hi Manuel,
Many thanks for your reply.
I played around with a rule like this
SecRule HIGHEST_SEVERITY "@le 90" "...."
but this never triggered.
With a SecAction rule I have seen HIGHEST_SEVERITY is always 255.
This means it is uninitialized.
Based on the wiki at github values can be between 0 and 7
But not for me. And maybe HIGHEST_SEVERITY is not that what
documentation says about severity.
I also tried the following rule
SecAction
"id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
In my script I see tx.anomaly_score is empty for a normal browser
query but set to 0 if it is an attack.
This I could use to trigger a script in case of an attack.
But I don't want that this shell script is executed each time someone
is visting this URL.
So I tried a rule
SecRule tx.anomaly_score "@ge 0"
id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
But in this case Apache does not start, it terminates with
Error creating rule: Unknown variable: tx.anomaly_score
I tried to understand your e-mail. But obviously I do not.
Could you give me some detailed explanation how-to configure a rule
that triggers a script if another rules detects previously an attack ?
Kind regards
Hans
On 21.07.18, 01:05, spartan...@gmail.com wrote:
Hi Hans, you can do a secrule in phase 5 that checks for the anomaly
score higher than the threshold
Cheers
Sent from mobile
El 20 jul 2018, a las 15:32, hans mayer <mod....@ma.yer.at
<mailto:mod....@ma.yer.at>> escribió:
Hi Manuel,
Sorry, obviously I didn't explain well enough what I want to do.
I do not want to run a script every time a block ( = certain
directory structure or URL )
is read by a client.
A script should only be triggered if one of these core rules from CRS
found an attack and is blocking.
Only in this situation a script should run for this specific URL.
I hope this describes a little bit better.
I tried different possibilities, for example with SecRule
HIGHEST_SEVERITY,
but all of them without success.
// Hans
On 19.07.18, 23:46, Manuel Spartan wrote:
Hi Hans,
it may not be the best idea to execute external scripts every time
you hit a block, it can easily result in a DOS situation, external
scripts take longer to execute resulting in longer processing
times, SecDefaultAction inside a directory must override the
inherited SecDefaultAction in higher context but that would depend
on your rules and apache configuration.
Alternatively you may add a SecRule in phase 2 to check whatever
condition you are targetting and use ctl:SkipAfter to jump the
SecAction in phase 2. See how the paranoia markers and actions
work as they use the same concept.
Cheers!
2018-07-19 15:11 GMT-05:00 hans mayer <mod....@ma.yer.at
<mailto:mod....@ma.yer.at>>:
Dear All,
My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
I want to achieve whenever any security rule is triggered a
script should be executed for a specific directory.
In the global Apache security module settings I have this line:
SecDefaultAction "phase:2,deny,log,status:406"
which does it's job very well
So my idea was I define a similar line for this specific
directory. In my apache http.conf I have:
<Directory "/some/directory/path">
SecDefaultAction
"phase:2,deny,log,status:406,exec:/path/to/script"
</Directory>
But obviously it doesn't work. The originally SecDefaultAction
is maybe executed first and not over ruled.
/path/to/script is never executed.
But an attack is successfully blocked.
To verify if this script is generally working I modified this
line to:
SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
everything',exec:///path/to/script"
And this works fine. My script is executed. But it triggers
each time a browser is going to "/some/directory/path" on this
server. Even if it's doing legal things.
Any idea how I could solve my problem ? Any help is appreciated.
I know version 3 is out with a lot of bugfixes. But currently
I don't want to upgrade.
Kind regards
Hans
--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
<https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
