Hi to all,
I finally found that the command exec is not working inside the ruel as I tried SecRuleScript with the script and it worked like a charm, the problem now is that I don't know how to use the SecRuleScript in my rule as I have tried the following:

SecRule REQUEST_URI "@pmFromFile bad-scripts.txt" \
"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:999999,rev:1,severity:2,msg:' Malware Script detected in URL',logdata:'%{TX.0}'"
SecRuleScript "/usr/local/apache/conf/modsec_rules/ip_write.lua"

But using as it is, I have the problem that the LUA script writes any IP, not only the one that triggered the rule.

If you don't mind, can you tell me what it will be the best way to use both rules together?

Regards,
Sergio

On Wed, Jan 27, 2010 at 10:29 AM, Brian Rectanus <Brian.Rectanus@breach.com> wrote:
Lua support is optional.  Does your build have Lua support?

nm /path/to/modules/mod_security2.so | grep -i lua

If the above returns results, then you do have support.

-B

Sergio wrote:
> Hi William,
> I googled some info and found the following in
> http://docs.cpanel.net/twiki/bin/view/AllDocumentation/EasyapacheModsecurity
> :
>
> "ModSecurity 2.5 Rule Scripting - Lua
>
> ModSecurity version 2.5 adds support for rule scripting via lua. Lua is
> known to have difficulties building. Lua build failures will not cause
> an Apache build to halt, but will provide errors in the build log upon
> build failure, and lua support will not be enabled. If you wish to use
> lua in your custom ruleset, you should read carefully on the proper
> usage of lua and ensure that the lua build was a success.
>
> *Where to store lua scripts*
>
> Lua scripts should be stored in */usr/local/apache/conf* in a sub
> directory such as */usr/local/apache/conf/modsec-lua*. Storing scripts
> in this location will ensure they are available whenever Apache
> configurations are tested or Apache is restarted. It will also keep them
> intact through EasyApache builds."
>
> So, after reading this I moved the script to the suggested directory,
> but stills not working, even that it is not showing any error at all,
> maybe is something that I doing wrong on the lua script. Even the file
> "IPS.TXT" has been moved to the same directory as the script.
>
> Best Regards,
>
> Sergio
>
>
> On Wed, Jan 27, 2010 at 12:38 AM, William Salusky <wsalusky@gmail.com
> <mailto:wsalusky@gmail.com>> wrote:
>
>     Sounds like your module does not have Lua support built in.
>
>     W
>
>
>     On Wed, Jan 27, 2010 at 1:00 AM, <secmas@gmail.com
>     <mailto:secmas@gmail.com>> wrote:
>
>         William,
>         I have moved the lua file to
>         /usr/local/apache/conf/modsec_rules, but the same error continues.
>
>         I have monitored the debug log and nothing weird shows up, only
>         this:
>
>         [26/Jan/2010:23:55:54 --0600]
>         [www.somedomain.com/sid#e958b80][rid#10ee8060][/index.php][1
>         <http://www.somedomain.com/sid#e958b80%5D%5Brid%2310ee8060%5D%5B/index.php%5D%5B1>]
>         Access denied with code 406 (phase 2). Matched phrase "/matched"
>         at REQUEST_URI. [file
>         "/usr/local/apache/conf/modsec_rules/00_ip_write.conf"] [line
>         "2"] [id "999999"] [rev "1"] [msg "SECMAS: Malware Script
>         detected in URL"] [data "/matched"] [severity "CRITICAL"]
>
>         It doesn't said anything about an error copying the data to the
>         IP.TXT file.
>
>         Regards,
>         Sergio
>
>
>
>         On Jan 26, 2010 11:46pm, secmas@gmail.com
>         <mailto:secmas@gmail.com> wrote:
>         > Hi William,
>         > Yes my modsec has been configured with LoadFile
>         /opt/lua/lib/liblua.so, I have already checked the apache
>         error_log but nothing is in there that shows an error in my rule.
>         >
>         > I set the debug but failed to have it on 1 instead of 3, I
>         will fix that.
>         >
>         > Let me change the lua file to the same directory where the
>         modsec_rules are.
>         >
>         > I will write you back with what I found, thanks.
>         >
>         > Regards,
>         > Sergio
>         >
>         >
>         > On Jan 26, 2010 11:30pm, William Salusky wsalusky@gmail.com
>         <mailto:wsalusky@gmail.com>> wrote:
>         > > 1. Is your mod_security module compiled with lua support?�
>         If you're using a distribution's packaged module it may not have
>         lua support.
>         > >
>         > > 2. Do you have an appropriate��� LoadFile�
>         /path/to/liblua.so�� in your httpd.conf?
>         > >
>         > >
>         > > 3. Are there any telling log entries in your Apache server
>         error_log?
>         > >
>         > > If still nothing, turn up Debug to at least 3 and try
>         generating some error_log output and see if that gives you any
>         insight.
>         > >
>         > > One last thing, since you are attempting to exec the lua
>         script from the /backup/ partition, not sure if it would affect
>         the outcome, but is that filesystem by chance mounted 'noexec'?
>         > >
>         > >
>         > > W
>         > >
>         > >
>         > > On Tue, Jan 26, 2010 at 11:09 PM, Sergio secmas@gmail.com
>         <mailto:secmas@gmail.com>> wrote:
>         > >
>         > > Hi William,
>         > > I have tested the rule but is not working, I don't know if
>         it is because a bad chmod in any of the files, here is what I
>         have done:
>         > >
>         > > SecRule REQUEST_URI "@pmFromFile my-file.txt" \
>         > >
>         "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:999999,rev:1,severit
>         > >
>         > >
>         > > y:2,msg:'IP
>         DETECTED',exec:'/backup/ip-write-test.lua',logdata:'%{TX.0}'"
>         > >
>         > > The SecRule is working his part, but the exec is not, for
>         the LUA file I wrote it in my /backup partition and chmod it
>         644, the other file "IPS.TXT" is also in my /backup partition
>         and has a chmod of 644.
>         > >
>         > >
>         > >
>         > > Are this settings ok or am I missing something?
>         > >
>         > > Regards,
>         > > Sergio
>         > >
>         > >
>         > > On Tue, Jan 26, 2010 at 3:49 PM, William Salusky
>         wsalusky@gmail.com <mailto:wsalusky@gmail.com>> wrote:
>         > >
>         > >
>         > > You can do that by calling a Lua script via the exec keyword.
>         > >
>         > > SecRule BLAH "BLAH"
>         "log,auditlog,pass,id:'888801',msg:'ip-write-test',severity:'7',rev:'1',exec:/path/to/your_lua_scripts/ip-write-test.lua"
>         > >
>         > >
>         > >
>         > >
>         > > =====
>         > >
>         > > function main()
>         > > � local fh = io.open("/tmp/ips.txt", "a+")
>         > > � if fh then
>         > > ��� local var1 = m.getvar("REMOTE_ADDR", "none")
>         > > ��� str1 = string.format('IP is: %s\n', var1)
>         > >
>         > >
>         > >
>         > > ��� fh:write(str1)
>         > > ��� fh:flush()
>         > > ��� fh:close()
>         > > � end
>         > >
>         > > � return fh ~= nil
>         > > end
>         > >
>         > >
>         > >
>         > >
>         > >
>         > > On Tue, Jan 26, 2010 at 3:55 PM, Sergio secmas@gmail.com
>         <mailto:secmas@gmail.com>> wrote:
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > > Hi,
>         > > Is it possible to create a rule that when it is triggered it
>         could write just the offender IP to a file other than the audit_log?
>         > >
>         > >
>         > >
>         > >
>         > > Regards,
>         > > Sergio
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         ------------------------------------------------------------------------------
>         > >
>         > > The Planet: dedicated and managed hosting, cloud storage,
>         colocation
>         > >
>         > > Stay online with enterprise data centers and the best
>         network in the business
>         > >
>         > > Choose flexible plans and management services without
>         long-term contracts
>         > >
>         > > Personal 24x7 support from experience hosting pros just a
>         phone call away.
>         > >
>         > > http://p.sf.net/sfu/theplanet-com
>         > > _______________________________________________
>         > >
>         > > mod-security-users mailing list
>         > >
>         > > mod-security-users@lists.sourceforge.net
>         <mailto:mod-security-users@lists.sourceforge.net>
>         > >
>         > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>         > >
>         > > Commercial ModSecurity Appliances, Rule Sets and Support:
>         > >
>         > > http://www.modsecurity.org/breach/index.html
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>         > >
>
>
>

--
Brian Rectanus
Breach Security