2

I am using mod_security 2.6.3, and I would like to be able to execute a shell script based on a rule-severity level. I am using the core rule set (CRS), which sets the severity level to 2 (for 'critical') when an attack is detected.

I would like to execute my script whenever the severity is high enough.

I tried to use the SecDefaultAction setting, such as:

SecDefaultAction "phase:2,log,deny,status:403,exec:/path/to/my/script"

But since the 'exec' action is a "non-disruptive" one, it always get executed, whether a critical rule or a non-critical rule is trigerred.

I could go through each critical SecRule and add "exec" next to it, but that would be tedious (and repetitive, and ugly).

I thought I could do something like:

SecRule ENV:SEVERITY "@lt 4" "exec:/path/to/my/script"

But somehow it never gets executed, probably because the critical rules have a block or deny statement which stops rule processing (since considered disruptive).

I also tried using the CRS anomaly score feature, like this:

SecRule TX:ANOMALY_SCORE "@ge 4" "exec:/path/to/my/script"

But it still does not get processed. Any idea on how I could do this?

Oldskool
  • 34,211
  • 7
  • 53
  • 66
Liam Nelson
  • 23
  • 1
  • 4

1 Answers1

5

You could use the HIGHEST_SEVERITY variable to test it, such as:

SecRule HIGHEST_SEVERITY "@le 5" "nolog,pass,exec:/path/to/your/script"

Note the nolog,pass additional parameters that will preserve the original log message from the rule that changed the severity level.

Also, I suggest that you place this condition early in your .conf file (e.g. just after your SecDefaultAction line) to ensure it gets included in all contexts.

Another way of doing it would be to use a custom HTTP response status code in your SecDefaultAction (for instance, 418 "I'm a teapot") and trigger your condition based on it, in the logging phase (once the default action has been processed):

# On error, log then deny request with "418 I'm a teapot":
SecDefaultAction "phase:2,log,deny,status:418"

# On HTTP response status code 418, execute your script:
SecRule RESPONSE_STATUS "^418$" "phase:5,nolog,pass,exec:/path/to/your/script"
Reggie
  • 644
  • 5
  • 10
  • When i try your code, getting this error: ModSecurity: No action id present within the rule. Edit: used this code: SecRule HIGHEST_SEVERITY "@le 5" "id:'290090',nolog,pass,exec:/usr/bin/pngquant".. Just added an id – Ünsal Korkmaz Feb 16 '15 at 23:44