Re: [mod-security-users] Capturing Internal Server Errors
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Capturing Internal Server Errors
|
From: Ryan B. <RBa...@tr...> - 2012-05-17 11:45:26
|
Gotta use phase 3 4 or 5 to access the RESPONSE_STATUS var. It is not available yet in phases 1 and 2.
Ryan
On May 17, 2012, at 7:37 AM, "Usman" <us...@op...> wrote:
> Hi,
>
> I have the following directive in my crs_10 file:
>
> SecAuditLogRelevantStatus "^(?:5|0(?!04))"
>
> This logs 500 internal server errors when they happen.
>
> I would like to set some attributes like tag, msg, severity etc for the
> above when viewing the alert in the AuditConsole.
>
> I tried using the following rule but no luck:
>
> SecRule RESPONSE_STATUS "@eq 500" \
> "phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR
> 500',msg:'Internal Server Error
> 500.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},logdata:'%{response_status}',severity:1"
>
> Based on the docs i found the below which does not give me the desired
> result:
>
> SecRule RESPONSE_STATUS "^[5]" \
> "phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR
> 5xx',msg:'Internal Server Error
> 5xx.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_s
> core},logdata:'%{response_status}',severity:1"
>
> but then there was a note in the docs saying:
>
> "This directive may not work as expected in embedded-mode as Apache
> handles many of the
> stock response codes (404, 401, etc...) earlier in Phase 2. This variable
> should work as expec-
> ted in a proxy-mode deployment."
>
> Can i not use the above?
>
> Thanks,
> Usman
>
>
>
> --
> Using Opera's revolutionary email client: http://www.opera.com/mail/
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
