[mod-security-users] Capturing Internal Server Errors

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I have the following directive in my crs_10 file:

SecAuditLogRelevantStatus "^(?:5|0(?!04))"

This logs 500 internal server errors when they happen.

I would like to set some attributes like tag, msg, severity etc for the  
above when viewing the alert in the AuditConsole.

I tried using the following rule but no luck:

SecRule RESPONSE_STATUS "@eq 500" \
"phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR  
500',msg:'Internal Server Error  
500.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},logdata:'%{response_status}',severity:1"

Based on the docs i found the below which does not give me the desired  
result:

SecRule RESPONSE_STATUS "^[5]" \
"phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR  
5xx',msg:'Internal Server Error  
5xx.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_s     
core},logdata:'%{response_status}',severity:1"

but then there was a note in the docs saying:

"This directive may not work as expected in embedded-mode as Apache  
handles many of the
stock response codes (404, 401, etc...) earlier in Phase 2. This variable  
should work as expec-
ted in a proxy-mode deployment."

Can i not use the above?

Thanks,
Usman

-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/