Sergio,

I would have to say the reference stating a location for lua scripts you are referring to is really just a "recommendation" and not a requirement. 

Again, can you check whether your mod_security2.so module really has lua support built into it?  You might want to try building from source to ensure lua support is there.

* Try running the following to see if Lua library support has been linked into the module:
# ldd /path/to/modules/mod_security2.so | egrep lua

If ldd results do not have an equivalent response as seen in the following, you will have to build from source if you want/need this functionality.
   liblua.so => /usr/local/lib/liblua.so (0x00308000)

W


On Wed, Jan 27, 2010 at 11:12 AM, Sergio <secmas@gmail.com> wrote:
Hi William,
I googled some info and found the following in http://docs.cpanel.net/twiki/bin/view/AllDocumentation/EasyapacheModsecurity :

"ModSecurity 2.5 Rule Scripting - Lua

ModSecurity version 2.5 adds support for rule scripting via lua. Lua is known to have difficulties building. Lua build failures will not cause an Apache build to halt, but will provide errors in the build log upon build failure, and lua support will not be enabled. If you wish to use lua in your custom ruleset, you should read carefully on the proper usage of lua and ensure that the lua build was a success.

Where to store lua scripts

Lua scripts should be stored in /usr/local/apache/conf in a sub directory such as /usr/local/apache/conf/modsec-lua. Storing scripts in this location will ensure they are available whenever Apache configurations are tested or Apache is restarted. It will also keep them intact through EasyApache builds."

So, after reading this I moved the script to the suggested directory, but stills not working, even that it is not showing any error at all, maybe is something that I doing wrong on the lua script. Even the file "IPS.TXT" has been moved to the same directory as the script.

Best Regards,

Sergio


On Wed, Jan 27, 2010 at 12:38 AM, William Salusky <wsalusky@gmail.com> wrote:
Sounds like your module does not have Lua support built in.

W


On Wed, Jan 27, 2010 at 1:00 AM, <secmas@gmail.com> wrote:
William,
I have moved the lua file to /usr/local/apache/conf/modsec_rules, but the same error continues.

I have monitored the debug log and nothing weird shows up, only this:

[26/Jan/2010:23:55:54 --0600] [www.somedomain.com/sid#e958b80][rid#10ee8060][/index.php][1] Access denied with code 406 (phase 2). Matched phrase "/matched" at REQUEST_URI. [file "/usr/local/apache/conf/modsec_rules/00_ip_write.conf"] [line "2"] [id "999999"] [rev "1"] [msg "SECMAS: Malware Script detected in URL"] [data "/matched"] [severity "CRITICAL"]

It doesn't said anything about an error copying the data to the IP.TXT file.

Regards,
Sergio



On Jan 26, 2010 11:46pm, secmas@gmail.com wrote:
> Hi William,
> Yes my modsec has been configured with LoadFile /opt/lua/lib/liblua.so, I have already checked the apache error_log but nothing is in there that shows an error in my rule.
>
> I set the debug but failed to have it on 1 instead of 3, I will fix that.
>
> Let me change the lua file to the same directory where the modsec_rules are.
>
> I will write you back with what I found, thanks.
>
> Regards,
> Sergio
>
>
> On Jan 26, 2010 11:30pm, William Salusky wsalusky@gmail.com> wrote:
> > 1. Is your mod_security module compiled with lua support?  If you're using a distribution's packaged module it may not have lua support.
> >
> > 2. Do you have an appropriate    LoadFile  /path/to/liblua.so   in your httpd.conf?
> >
> >
> > 3. Are there any telling log entries in your Apache server error_log?
> >
> > If still nothing, turn up Debug to at least 3 and try generating some error_log output and see if that gives you any insight.
> >
> > One last thing, since you are attempting to exec the lua script from the /backup/ partition, not sure if it would affect the outcome, but is that filesystem by chance mounted 'noexec'?
> >
> >
> > W
> >
> >
> > On Tue, Jan 26, 2010 at 11:09 PM, Sergio secmas@gmail.com> wrote:
> >
> > Hi William,
> > I have tested the rule but is not working, I don't know if it is because a bad chmod in any of the files, here is what I have done:
> >
> > SecRule REQUEST_URI "@pmFromFile my-file.txt" \
> > "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:999999,rev:1,severit
> >
> >
> > y:2,msg:'IP DETECTED',exec:'/backup/ip-write-test.lua',logdata:'%{TX.0}'"
> >
> > The SecRule is working his part, but the exec is not, for the LUA file I wrote it in my /backup partition and chmod it 644, the other file "IPS.TXT" is also in my /backup partition and has a chmod of 644.
> >
> >
> >
> > Are this settings ok or am I missing something?
> >
> > Regards,
> > Sergio
> >
> >
> > On Tue, Jan 26, 2010 at 3:49 PM, William Salusky wsalusky@gmail.com> wrote:
> >
> >
> > You can do that by calling a Lua script via the exec keyword.
> >
> > SecRule BLAH "BLAH" "log,auditlog,pass,id:'888801',msg:'ip-write-test',severity:'7',rev:'1',exec:/path/to/your_lua_scripts/ip-write-test.lua"
> >
> >
> >
> >
> > =====
> >
> > function main()
> >   local fh = io.open("/tmp/ips.txt", "a+")
> >   if fh then
> >     local var1 = m.getvar("REMOTE_ADDR", "none")
> >     str1 = string.format('IP is: %s\n', var1)
> >
> >
> >
> >     fh:write(str1)
> >     fh:flush()
> >     fh:close()
> >   end
> >
> >   return fh ~= nil
> > end
> >
> >
> >
> >
> >
> > On Tue, Jan 26, 2010 at 3:55 PM, Sergio secmas@gmail.com> wrote:
> >
> >
> >
> >
> >
> >
> > Hi,
> > Is it possible to create a rule that when it is triggered it could write just the offender IP to a file other than the audit_log?
> >
> >
> >
> >
> > Regards,
> > Sergio
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> >
> > The Planet: dedicated and managed hosting, cloud storage, colocation
> >
> > Stay online with enterprise data centers and the best network in the business
> >
> > Choose flexible plans and management services without long-term contracts
> >
> > Personal 24x7 support from experience hosting pros just a phone call away.
> >
> > http://p.sf.net/sfu/theplanet-com
> > _______________________________________________
> >
> > mod-security-users mailing list
> >
> > mod-security-users@lists.sourceforge.net
> >
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> > Commercial ModSecurity Appliances, Rule Sets and Support:
> >
> > http://www.modsecurity.org/breach/index.html
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >