[mod-security-users] can't seem to get notification working...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I'm using version mod_security-1.8dev1.tar.gz and I can't seem to get 
notification working.  Here my rules:

    # Execute the external script on filter match
    SecFilter yyy log,exec:/usr/webservers/httpd/conf/report-attack.sh

and here's the little shell script:

#!/bin/sh

HOSTNAME=`hostname`

echo "Attack detected.  Check audit log" | mail -s "$HOSTNAME: attack 
detected" in...@me...

just simple script.  Using the test suite, I definitely am tripping some 
filters...

Test "38 Unicode test 1": OK
Test "39 Unicode test 2": OK
Test "40 Unicode test 3": OK
Test "43 post range check bug": OK
Test "44 normalisation bug": OK
Test "45 null byte attack": OK
Test "43 multipart/form-data test": OK
Test "53 named cookie test": OK

etc..

but nothing in my email...

Very new to this so perhaps my rules are completely wrong.  Here's the 
full rules list:

    # Turn the filtering engine On or Off
    SecFilterEngine On

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/httpd/logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Check URL encoding
    SecFilterCheckURLEncoding On

    # Default action set
    SecFilterDefaultAction "deny,log,status:500"

    # Only allow certain byte values to be a part of the request.
    # This is pretty relaxed, most applications where only English
    # is used will happily work with a range 32 - 126.
    SecFilterForceByteRange 32 126

    # Only accept request encodings we know how to handle
    # SecFilterSelective HTTP_Content-Type 
"!^(|application/x-www-form-urlencoded|multipart/form-data)$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Simple example filter
    # SecFilter 111

    # Chroot
    # SecChrootDir /usr/webservers/httpd

    # Change Signature
    SecServerSignature "FuckYouVeryMuch/2.0"

    # Command execution attacks
    SecFilter /etc/passwd
    SecFilter /etc/shadow
    SecFilter /etc/password
    SecFilter /bin/ls
    # Directory traversal attacks
    SecFilter "\.\./"
    # XSS attacks
    SecFilter "<(.|\n)+>"
    SecFilter "<[[:space:]]*script"

    # SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    SecFilterSelective ARG_b2inc "!^$"

    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    <Location /cgi-bin/FormMail>
        SecFilterSelective "ARG_recipient" "!@methanesea\.com$"
    </Location>

    SecFilterSelective OUTPUT "Fatal error:"

    # Execute the external script on filter match
    SecFilter yyy log,exec:/usr/webservers/httpd/conf/report-attack.sh

    # Redirect user on filter match
    SecFilter xxx redirect:http://www.methanesea.com

    # SecFilterDebugLog /var/log/httpd/logs/modsec_debug_log
    # SecFilterDebugLevel 100

    # Simple filter
    SecFilter 111

    # Only check the QUERY_STRING variable
    SecFilterSelective QUERY_STRING 222

    # Only check the body of the POST request
    SecFilterSelective POST_PAYLOAD 333

    # Only check arguments (will work for GET and POST)
    SecFilterSelective ARGS 444

    # Another test filter, will be denied with 404 but not logged
    # action supplied as a parameter overrides the default action
    SecFilter 999 "deny,nolog,status:500"

Mostly stolen from various articles and docs.

Thanks for any tips.
-jeremy