Hi Hans, you can do a secrule in phase 5 that checks for the anomaly score higher than the threshold
Cheers Sent from mobile > El 20 jul 2018, a las 15:32, hans mayer <mod....@ma.yer.at> escribió: > > > > Hi Manuel, > > Sorry, obviously I didn't explain well enough what I want to do. > I do not want to run a script every time a block ( = certain directory > structure or URL ) > is read by a client. > A script should only be triggered if one of these core rules from CRS > found an attack and is blocking. > Only in this situation a script should run for this specific URL. > I hope this describes a little bit better. > I tried different possibilities, for example with SecRule HIGHEST_SEVERITY, > but all of them without success. > > > // Hans > > >> On 19.07.18, 23:46, Manuel Spartan wrote: >> Hi Hans, >> >> it may not be the best idea to execute external scripts every time you hit a >> block, it can easily result in a DOS situation, external scripts take longer >> to execute resulting in longer processing times, SecDefaultAction inside a >> directory must override the inherited SecDefaultAction in higher context but >> that would depend on your rules and apache configuration. >> >> Alternatively you may add a SecRule in phase 2 to check whatever condition >> you are targetting and use ctl:SkipAfter to jump the SecAction in phase 2. >> See how the paranoia markers and actions work as they use the same concept. >> >> Cheers! >> >> 2018-07-19 15:11 GMT-05:00 hans mayer <mod....@ma.yer.at>: >>> >>> Dear All, >>> >>> My environment: Apache/2.4 , engine mode: /modsecurity 2.7+ >>> >>> I want to achieve whenever any security rule is triggered a script should >>> be executed for a specific directory. >>> >>> In the global Apache security module settings I have this line: >>> >>> SecDefaultAction "phase:2,deny,log,status:406" >>> >>> which does it's job very well >>> >>> So my idea was I define a similar line for this specific directory. In my >>> apache http.conf I have: >>> >>> <Directory "/some/directory/path"> >>> SecDefaultAction "phase:2,deny,log,status:406,exec:/path/to/script" >>> </Directory> >>> >>> But obviously it doesn't work. The originally SecDefaultAction is maybe >>> executed first and not over ruled. >>> /path/to/script is never executed. >>> But an attack is successfully blocked. >>> >>> To verify if this script is generally working I modified this line to: >>> >>> SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log >>> everything',exec:///path/to/script" >>> >>> And this works fine. My script is executed. But it triggers each time a >>> browser is going to "/some/directory/path" on this server. Even if it's >>> doing legal things. >>> >>> Any idea how I could solve my problem ? Any help is appreciated. >>> >>> I know version 3 is out with a lot of bugfixes. But currently I don't want >>> to upgrade. >>> >>> Kind regards >>> Hans >>> >>> -- >>> >>> >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set