Discussion:
[Owasp-modsecurity-core-rule-set] exec: script for specific directory
hans mayer
2018-07-19 20:11:59 UTC
Permalink
Dear All,

My environment: Apache/2.4 , engine mode: /modsecurity 2.7+

I want to achieve whenever any security rule is triggered a script
should be executed for a specific directory.

In the global Apache security module settings I have this line:

SecDefaultAction "phase:2,deny,log,status:406"

which does it's job very well

So my idea was I define a similar line for this specific directory. In
my apache http.conf I have:

<Directory "/some/directory/path">
SecDefaultAction "phase:2,deny,log,status:406,exec:/path/to/script"
</Directory>

But obviously it doesn't work. The originally SecDefaultAction is maybe
executed first and not over ruled.
/path/to/script is never executed.
But an attack is successfully blocked.

To verify if this script is generally working I modified this line to:

SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
everything',exec:///path/to/script"

And this works fine. My script is executed. But it triggers each time a
browser is going to "/some/directory/path" on this server. Even if it's
doing legal things.

Any idea how I could solve my problem ? Any help is appreciated.

I know version 3 is out with a lot of bugfixes. But currently I don't
want to upgrade.

Kind regards
Hans

--
hans mayer
2018-07-20 20:32:36 UTC
Permalink
Hi Manuel,

Sorry, obviously I didn't explain well enough what I want to do.
I do not want to run a script every time a block ( = certain directory
structure or URL )
is read by a client.
A script should only be triggered if one of these core rules from CRS
found an attack and is blocking.
Only in this situation a script should run for this specific URL.
I hope this describes a little bit better.
I tried different possibilities, for example with SecRule HIGHEST_SEVERITY,
but all of them without success.


// Hans
Hi Hans,
it may not be the best idea to execute external scripts every time you
hit a block, it can easily result in a DOS situation, external scripts
take longer to execute resulting in longer processing times,
SecDefaultAction inside a directory must override the inherited
SecDefaultAction in higher context but that would depend on your rules
and apache configuration.
Alternatively you may add a SecRule in phase 2 to check whatever
condition you are targetting and use ctl:SkipAfter to jump the
SecAction in phase 2. See how the paranoia markers and actions work as
they use the same concept.
Cheers!
Dear All,
My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
I want to achieve whenever any security rule is triggered a script
should be executed for a specific directory.
SecDefaultAction "phase:2,deny,log,status:406"
which does it's job very well
So my idea was I define a similar line for this specific
<Directory "/some/directory/path">
SecDefaultAction
"phase:2,deny,log,status:406,exec:/path/to/script"
</Directory>
But obviously it doesn't work. The originally SecDefaultAction is
maybe executed first and not over ruled.
/path/to/script is never executed.
But an attack is successfully blocked.
SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
everything',exec:///path/to/script"
And this works fine. My script is executed. But it triggers each
time a browser is going to "/some/directory/path" on this server.
Even if it's doing legal things.
Any idea how I could solve my problem ? Any help is appreciated.
I know version 3 is out with a lot of bugfixes. But currently I
don't want to upgrade.
Kind regards
Hans
--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
<https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
s***@gmail.com
2018-07-20 23:05:39 UTC
Permalink
Hi Hans, you can do a secrule in phase 5 that checks for the anomaly score higher than the threshold

Cheers

Sent from mobile
Post by hans mayer
Hi Manuel,
Sorry, obviously I didn't explain well enough what I want to do.
I do not want to run a script every time a block ( = certain directory structure or URL )
is read by a client.
A script should only be triggered if one of these core rules from CRS
found an attack and is blocking.
Only in this situation a script should run for this specific URL.
I hope this describes a little bit better.
I tried different possibilities, for example with SecRule HIGHEST_SEVERITY,
but all of them without success.
// Hans
Hi Hans,
it may not be the best idea to execute external scripts every time you hit a block, it can easily result in a DOS situation, external scripts take longer to execute resulting in longer processing times, SecDefaultAction inside a directory must override the inherited SecDefaultAction in higher context but that would depend on your rules and apache configuration.
Alternatively you may add a SecRule in phase 2 to check whatever condition you are targetting and use ctl:SkipAfter to jump the SecAction in phase 2. See how the paranoia markers and actions work as they use the same concept.
Cheers!
Post by hans mayer
Dear All,
My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
I want to achieve whenever any security rule is triggered a script should be executed for a specific directory.
SecDefaultAction "phase:2,deny,log,status:406"
which does it's job very well
<Directory "/some/directory/path">
SecDefaultAction "phase:2,deny,log,status:406,exec:/path/to/script"
</Directory>
But obviously it doesn't work. The originally SecDefaultAction is maybe executed first and not over ruled.
/path/to/script is never executed.
But an attack is successfully blocked.
SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log everything',exec:///path/to/script"
And this works fine. My script is executed. But it triggers each time a browser is going to "/some/directory/path" on this server. Even if it's doing legal things.
Any idea how I could solve my problem ? Any help is appreciated.
I know version 3 is out with a lot of bugfixes. But currently I don't want to upgrade.
Kind regards
Hans
--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
hans mayer
2018-07-21 20:48:15 UTC
Permalink
Hi Manuel,

Many thanks for your reply.

I played around with a rule like this
SecRule HIGHEST_SEVERITY "@le 90" "...."
but this never triggered.
With a SecAction rule I have seen HIGHEST_SEVERITY is always 255.
This means it is uninitialized.
Based on the wiki at github values can be between 0 and 7
But not for me. And maybe HIGHEST_SEVERITY is not that what
documentation says about severity.

I also tried the following rule
SecAction
"id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
In my script I see tx.anomaly_score is empty for a normal browser query
but set to 0 if it is an attack.
This I could use to trigger a script in case of an attack.

But I don't want that this shell script is executed each time someone is
visting this URL.
So I tried a rule
SecRule tx.anomaly_score "@ge 0"
id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
But in this case Apache does not start, it terminates with
Error creating rule: Unknown variable: tx.anomaly_score

I tried to understand your e-mail. But obviously I do not.
Could you give me some detailed explanation how-to configure a rule that
triggers a script if another rules detects previously an attack ?


Kind regards
Hans
Post by s***@gmail.com
Hi Hans, you can do a secrule in phase 5 that checks for the anomaly
score higher than the threshold
Cheers
Sent from mobile
Post by hans mayer
Hi Manuel,
Sorry, obviously I didn't explain well enough what I want to do.
I do not want to run a script every time a block ( = certain
directory structure or URL )
is read by a client.
A script should only be triggered if one of these core rules from CRS
found an attack and is blocking.
Only in this situation a script should run for this specific URL.
I hope this describes a little bit better.
I tried different possibilities, for example with SecRule
HIGHEST_SEVERITY,
but all of them without success.
// Hans
Hi Hans,
it may not be the best idea to execute external scripts every time
you hit a block, it can easily result in a DOS situation, external
scripts take longer to execute resulting in longer processing times,
SecDefaultAction inside a directory must override the inherited
SecDefaultAction in higher context but that would depend on your
rules and apache configuration.
Alternatively you may add a SecRule in phase 2 to check whatever
condition you are targetting and use ctl:SkipAfter to jump the
SecAction in phase 2. See how the paranoia markers and actions work
as they use the same concept.
Cheers!
Dear All,
My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
I want to achieve whenever any security rule is triggered a
script should be executed for a specific directory.
SecDefaultAction "phase:2,deny,log,status:406"
which does it's job very well
So my idea was I define a similar line for this specific
<Directory "/some/directory/path">
SecDefaultAction
"phase:2,deny,log,status:406,exec:/path/to/script"
</Directory>
But obviously it doesn't work. The originally SecDefaultAction
is maybe executed first and not over ruled.
/path/to/script is never executed.
But an attack is successfully blocked.
SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
everything',exec:///path/to/script"
And this works fine. My script is executed. But it triggers each
time a browser is going to "/some/directory/path" on this
server. Even if it's doing legal things.
Any idea how I could solve my problem ? Any help is appreciated.
I know version 3 is out with a lot of bugfixes. But currently I
don't want to upgrade.
Kind regards
Hans
--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
<https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
hans mayer
2018-07-22 15:35:55 UTC
Permalink
It says:
Engine Mode modsecurity 2.7+ only
Producer Rule Set ModSecurity for Apache/2.8.0
(http://www.modsecurity.org/).

rule set seem to be
Core ModSecurity Rule Set ver.2.2.9


// Hans
What modsec and CRS versions are you using?
Sent from mobile
Post by hans mayer
Hi Manuel,
Many thanks for your reply.
I played around with a rule like this
but this never triggered.
With a SecAction rule I have seen HIGHEST_SEVERITY is always 255.
This means it is uninitialized.
Based on the wiki at github values can be between 0 and 7
But not for me. And maybe HIGHEST_SEVERITY is not that what
documentation says about severity.
I also tried the following rule
SecAction
"id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
In my script I see tx.anomaly_score is empty for a normal browser
query but set to 0 if it is an attack.
This I could use to trigger a script in case of an attack.
But I don't want that this shell script is executed each time someone
is visting this URL.
So I tried a rule
id:10003,log,allow,phase:5,setenv:bodypost=%{tx.anomaly_score},exec:/path/to/script"
But in this case Apache does not start, it terminates with
Error creating rule: Unknown variable: tx.anomaly_score
I tried to understand your e-mail. But obviously I do not.
Could you give me some detailed explanation how-to configure a rule
that triggers a script if another rules detects previously an attack ?
Kind regards
Hans
Post by s***@gmail.com
Hi Hans, you can do a secrule in phase 5 that checks for the anomaly
score higher than the threshold
Cheers
Sent from mobile
Post by hans mayer
Hi Manuel,
Sorry, obviously I didn't explain well enough what I want to do.
I do not want to run a script every time a block ( = certain
directory structure or URL )
is read by a client.
A script should only be triggered if one of these core rules from CRS
found an attack and is blocking.
Only in this situation a script should run for this specific URL.
I hope this describes a little bit better.
I tried different possibilities, for example with SecRule
HIGHEST_SEVERITY,
but all of them without success.
// Hans
Hi Hans,
it may not be the best idea to execute external scripts every time
you hit a block, it can easily result in a DOS situation, external
scripts take longer to execute resulting in longer processing
times, SecDefaultAction inside a directory must override the
inherited SecDefaultAction in higher context but that would depend
on your rules and apache configuration.
Alternatively you may add a SecRule in phase 2 to check whatever
condition you are targetting and use ctl:SkipAfter to jump the
SecAction in phase 2. See how the paranoia markers and actions
work as they use the same concept.
Cheers!
Dear All,
My environment: Apache/2.4 , engine mode: /modsecurity 2.7+
I want to achieve whenever any security rule is triggered a
script should be executed for a specific directory.
SecDefaultAction "phase:2,deny,log,status:406"
which does it's job very well
So my idea was I define a similar line for this specific
<Directory "/some/directory/path">
SecDefaultAction
"phase:2,deny,log,status:406,exec:/path/to/script"
</Directory>
But obviously it doesn't work. The originally SecDefaultAction
is maybe executed first and not over ruled.
/path/to/script is never executed.
But an attack is successfully blocked.
SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log
everything',exec:///path/to/script"
And this works fine. My script is executed. But it triggers
each time a browser is going to "/some/directory/path" on this
server. Even if it's doing legal things.
Any idea how I could solve my problem ? Any help is appreciated.
I know version 3 is out with a lot of bugfixes. But currently
I don't want to upgrade.
Kind regards
Hans
--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
<https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
Continue reading on narkive:
Loading...