Reputation: 33
ModSecurity: How to 'exec' based on 'severity' level?
I am using mod_security 2.6.3, and I would like to be able to execute a shell script based on a rule-severity level. I am using the core rule set (CRS), which sets the severity level to 2 (for 'critical') when an attack is detected.
I would like to execute my script whenever the severity is high enough.
I tried to use the SecDefaultAction setting, such as:
SecDefaultAction "phase:2,log,deny,status:403,exec:/path/to/my/script"
But since the 'exec' action is a "non-disruptive" one, it always get executed, whether a critical rule or a non-critical rule is trigerred.
I could go through each critical SecRule and add "exec" next to it, but that would be tedious (and repetitive, and ugly).
I thought I could do something like:
SecRule ENV:SEVERITY "@lt 4" "exec:/path/to/my/script"
But somehow it never gets executed, probably because the critical rules have a block or deny statement which stops rule processing (since considered disruptive).
I also tried using the CRS anomaly score feature, like this:
SecRule TX:ANOMALY_SCORE "@ge 4" "exec:/path/to/my/script"
But it still does not get processed. Any idea on how I could do this?
Upvotes: 3
Views: 3248
Answers (1)
Reputation: 644
You could use the HIGHEST_SEVERITY variable to test it, such as:
SecRule HIGHEST_SEVERITY "@le 5" "nolog,pass,exec:/path/to/your/script"
Note the nolog,pass additional parameters that will preserve the original log message from the rule that changed the severity level.
Also, I suggest that you place this condition early in your .conf file (e.g. just after your SecDefaultAction line) to ensure it gets included in all contexts.
Another way of doing it would be to use a custom HTTP response status code in your SecDefaultAction (for instance, 418 "I'm a teapot") and trigger your condition based on it, in the logging phase (once the default action has been processed):
# On error, log then deny request with "418 I'm a teapot":
SecDefaultAction "phase:2,log,deny,status:418"
# On HTTP response status code 418, execute your script:
SecRule RESPONSE_STATUS "^418$" "phase:5,nolog,pass,exec:/path/to/your/script"
Upvotes: 5
Related Questions
- mod_security(2.x): How to match on an undefined mod-sec variable?
- ModSecurity default action when no rule is match?
- configure error page to show the log of modsecurity
- ModSecurity - Is there a way to configure DetectionOnly per Rule
- How to disable a specific mod_security rule in a specific directory?
- ModSecurity: Are rules executed by rule ID ascending order?
- how to add mod security exception
- ModSecurity: Whitelist Arguments By Value
- ModSecurity - error parsing actions unknown action \\
- Mod Security SecStatusEngine