I'm having a problem with the following rule:

SecFilter "/bin/davetest" "exec:/usr/local/mod_sec/report-attack.sh"

where the contents of /usr/local/mod_sec/report-attack.sh are

#!/usr/local/bin/php -q
<?php
ob_start();
print_r($_SERVER);
$data = ob_get_contents();//save it in a variable for later use
ob_end_clean();//stop buffering

mail("dbrieck@xxxxxx.com ","Environment Vars",$data);
echo "Done! \n";
$file = "/tmp/davetest.txt";
$open = @fopen($file, "w");
fwrite($open, $data);
fclose($open);

?>

The file will execute from the command line, and it looks like it's processed in the audit log:

mod_security-message: Access denied with code 403. Pattern match "/bin/davetest" at REQUEST_URI [severity "EMERGENCY"]
mod_security-action: 403
mod_security-executed: /usr/local/mod_sec/report-attack.sh

But I never get an email and the file is never written. Am I doing something wrong?

mod_security 1.9.3
apache 1.3.33
php version 4.4.0

Thanks for any help

David Brieck