How would I pass parameter to this script from mod-security rules. Best way to learn the rules besides with time and going through manual would be looking at the existing rule packages. Current rule package at mod-security is very limited. I am afraid the so-called negative security would be error prone.
 
Do we have any packages for positive security, let us say
SecFilterSelective ARGS alphanum allow.
 
Of this type, let me know if you have these types rules.
 
 


Ivan Ristic <ivan.ristic@gmail.com> wrote:
> I am contemplating this alternative in 1.9.x, since it is not possible to
> link user-defined actions and libraries. I am planning to use redirect as an
> action to URL which is a servlet to execute our program. How can I pass
> parameters to this servlet in querry string. Any hacks. In some cases we
> just have to execute a program, without any params.
>
> What do you think ? I have championed mod-security in our evaluation
> appreciate your help in succeeding :)

You can do two things:

1. Use an ErrorDocument (look it up in the Apache documentation if
you're not familiar with it) to have a custom script executed when a
transaction is rejected.

2. Use the "exec" action to execute a custom external binary when a
rule is triggered.

Both would allow you to implement custom actions. I prefer 1.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall


Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.