Re: [mod-security-users] How to write an IP automatically to a file?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to write an IP automatically to a file?
|
From: Sergio <se...@gm...> - 2010-01-27 04:09:29
|
Hi William,
I have tested the rule but is not working, I don't know if it is because a
bad chmod in any of the files, here is what I have done:
SecRule REQUEST_URI "@pmFromFile my-file.txt" \
"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:999999,rev:1,severit
y:2,msg:'IP DETECTED',exec:'/backup/ip-write-test.lua',logdata:'%{TX.0}'"
The SecRule is working his part, but the exec is not, for the LUA file I
wrote it in my /backup partition and chmod it 644, the other file "IPS.TXT"
is also in my /backup partition and has a chmod of 644.
Are this settings ok or am I missing something?
Regards,
Sergio
On Tue, Jan 26, 2010 at 3:49 PM, William Salusky <wsa...@gm...> wrote:
> You can do that by calling a Lua script via the exec keyword.
>
> SecRule BLAH "BLAH"
> "log,auditlog,pass,id:'888801',msg:'ip-write-test',severity:'7',rev:'1',exec:/path/to/your_lua_scripts/ip-write-test.lua"
>
> =====
>
> function main()
> local fh = io.open("/tmp/ips.txt", "a+")
> if fh then
> local var1 = m.getvar("REMOTE_ADDR", "none")
> str1 = string.format('IP is: %s\n', var1)
> fh:write(str1)
> fh:flush()
> fh:close()
> end
>
> return fh ~= nil
> end
>
>
>
>
> On Tue, Jan 26, 2010 at 3:55 PM, Sergio <se...@gm...> wrote:
>
>> Hi,
>> Is it possible to create a rule that when it is triggered it could write
>> just the offender IP to a file other than the audit_log?
>>
>> Regards,
>> Sergio
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term contracts
>> Personal 24x7 support from experience hosting pros just a phone call away.
>> http://p.sf.net/sfu/theplanet-com
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Appliances, Rule Sets and Support:
>> http://www.modsecurity.org/breach/index.html
>>
>>
>
|