Re: [mod-security-users] Capturing Internal Server Errors
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Capturing Internal Server Errors
|
From: Usman <us...@op...> - 2012-05-17 11:54:41
|
Thanks Ryan, switched to use phase:3 and now it works :).
Cheers !!!
I have:
SecRule RESPONSE_STATUS "^[5]" \
"phase:3,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR
5xx',msg:'Internal Server Error
5xx.',setvar:tx.anomaly_score=+%{tx.critical_anomaly
_score},logdata:'%{response_status}',severity:1"
> Gotta use phase 3 4 or 5 to access the RESPONSE_STATUS var. It is not
> available yet in phases 1 and 2.
>
> Ryan
>
> On May 17, 2012, at 7:37 AM, "Usman" <us...@op...> wrote:
>
>> Hi,
>>
>> I have the following directive in my crs_10 file:
>>
>> SecAuditLogRelevantStatus "^(?:5|0(?!04))"
>>
>> This logs 500 internal server errors when they happen.
>>
>> I would like to set some attributes like tag, msg, severity etc for the
>> above when viewing the alert in the AuditConsole.
>>
>> I tried using the following rule but no luck:
>>
>> SecRule RESPONSE_STATUS "@eq 500" \
>> "phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR
>> 500',msg:'Internal Server Error
>> 500.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},logdata:'%{response_status}',severity:1"
>>
>> Based on the docs i found the below which does not give me the desired
>> result:
>>
>> SecRule RESPONSE_STATUS "^[5]" \
>> "phase:2,t:none,log,pass,id:'500002',tag:'INTERNAL SERVER ERROR
>> 5xx',msg:'Internal Server Error
>> 5xx.',setvar:tx.anomaly_score=+%{tx.critical_anomaly_s
>> core},logdata:'%{response_status}',severity:1"
>>
>> but then there was a note in the docs saying:
>>
>> "This directive may not work as expected in embedded-mode as Apache
>> handles many of the
>> stock response codes (404, 401, etc...) earlier in Phase 2. This
>> variable
>> should work as expec-
>> ted in a proxy-mode deployment."
>>
>> Can i not use the above?
>>
>> Thanks,
>> Usman
>>
>>
>>
>> --
>> Using Opera's revolutionary email client: http://www.opera.com/mail/
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
>> Discussions
>> will include endpoint security, mobile security and the latest in
>> malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the
> sender and destroy the material in its entirety, whether in electronic
> or hard copy format.
--
Using Opera's revolutionary email client: http://www.opera.com/mail/
|
