hans mayer - 2018-07-01

Dear All,

My environment: Apache/2.4 , engine mode: /modsecurity 2.7+

I want to achieve whenever any security rule is triggered a script should be executed for a specific directory.

In the global apache security module settings I have this line:

SecDefaultAction "phase:2,deny,log,status:406"

which does it's job very well

So my idea was I define a similar line for this specific directory. In my apache http.conf I have:

<Directory "/some/directory/path">
     SecDefaultAction "phase:2,deny,log,status:406,exec:/path/to/script"
</Directory>

But obviously it doesn't work. The originally SecDefaultAction is maybe executed first and not over ruled.
/path/to/script is never executed.
But an attack is successfully blocked.

To verify if this script is generally working I modified this line to:

SecAction "id:10003,pass,auditlog,log,phase:5,msg:'log everything',exec:///path/to/script"

And this works fine. My script is executed. But it triggers each time a browser is going to "/some/directory/path" on this server. Even if it's doing legal things.

Any idea how I could solve my problem ? Any help is appreciated.

I know version 3 is out with a lot of bugfixes. But currently I don't want to upgrade.

Kind regards
Hans

--