Re: [mod-security-users] can't seem to get notification working...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

So I quoted it this time:

SecFilter /etc/passwd 
"log,exec:/usr/webservers/httpd/conf/report-attack.sh"

and I see this in the audit log:

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030922
mod_security-executed: /usr/webservers/httpd/conf/report-attack.sh

But I don't receive the email, yet, when I execute this from the command 
line, I get the email no problem.

Thanks
-jeremy

On Fri, 2 Apr 2004, Jeremy Hansen wrote:

> 
> I'm using version mod_security-1.8dev1.tar.gz and I can't seem to get 
> notification working.  Here my rules:
> 
>     # Execute the external script on filter match
>     SecFilter yyy log,exec:/usr/webservers/httpd/conf/report-attack.sh
> 
> and here's the little shell script:
> 
> #!/bin/sh
> 
> HOSTNAME=`hostname`
> 
> 
> echo "Attack detected.  Check audit log" | mail -s "$HOSTNAME: attack 
> detected" in...@me...
> 
> just simple script.  Using the test suite, I definitely am tripping some 
> filters...
> 
> Test "38 Unicode test 1": OK
> Test "39 Unicode test 2": OK
> Test "40 Unicode test 3": OK
> Test "43 post range check bug": OK
> Test "44 normalisation bug": OK
> Test "45 null byte attack": OK
> Test "43 multipart/form-data test": OK
> Test "53 named cookie test": OK
> 
> etc..
> 
> but nothing in my email...
> 
> Very new to this so perhaps my rules are completely wrong.  Here's the 
> full rules list:
> 
>     # Turn the filtering engine On or Off
>     SecFilterEngine On
> 
>     # The audit engine works independently and
>     # can be turned On of Off on the per-server or
>     # on the per-directory basis
>     SecAuditEngine RelevantOnly
> 
>     # The name of the audit log file
>     SecAuditLog /var/log/httpd/logs/audit_log
> 
>     # Should mod_security inspect POST payloads
>     SecFilterScanPOST On
> 
>     # Check URL encoding
>     SecFilterCheckURLEncoding On
> 
>     # Default action set
>     SecFilterDefaultAction "deny,log,status:500"
> 
>     # Only allow certain byte values to be a part of the request.
>     # This is pretty relaxed, most applications where only English
>     # is used will happily work with a range 32 - 126.
>     SecFilterForceByteRange 32 126
> 
>     # Only accept request encodings we know how to handle
>     # SecFilterSelective HTTP_Content-Type 
> "!^(|application/x-www-form-urlencoded|multipart/form-data)$"
> 
>     # Don't accept transfer encodings we know we don't handle
>     # (and you don't need it anyway)
>     SecFilterSelective HTTP_Transfer-Encoding "!^$"
> 
>     # Simple example filter
>     # SecFilter 111
> 
>     # Chroot
>     # SecChrootDir /usr/webservers/httpd
> 
>     # Change Signature
>     SecServerSignature "FuckYouVeryMuch/2.0"
> 
>     # Command execution attacks
>     SecFilter /etc/passwd
>     SecFilter /etc/shadow
>     SecFilter /etc/password
>     SecFilter /bin/ls
>     # Directory traversal attacks
>     SecFilter "\.\./"
>     # XSS attacks
>     SecFilter "<(.|\n)+>"
>     SecFilter "<[[:space:]]*script"
> 
>     # SQL injection attacks
>     SecFilter "delete[[:space:]]+from"
>     SecFilter "insert[[:space:]]+into"
>     SecFilter "select.+from"
> 
>     SecFilterSelective ARG_b2inc "!^$"
> 
>     SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
>     SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
> 
>     <Location /cgi-bin/FormMail>
>         SecFilterSelective "ARG_recipient" "!@methanesea\.com$"
>     </Location>
> 
>     SecFilterSelective OUTPUT "Fatal error:"
> 
>     # Execute the external script on filter match
>     SecFilter yyy log,exec:/usr/webservers/httpd/conf/report-attack.sh
> 
>     # Redirect user on filter match
>     SecFilter xxx redirect:http://www.methanesea.com
>     
>     # SecFilterDebugLog /var/log/httpd/logs/modsec_debug_log
>     # SecFilterDebugLevel 100
>     
>     # Simple filter
>     SecFilter 111
>     
>     # Only check the QUERY_STRING variable
>     SecFilterSelective QUERY_STRING 222
> 
>     # Only check the body of the POST request
>     SecFilterSelective POST_PAYLOAD 333
>     
>     # Only check arguments (will work for GET and POST)
>     SecFilterSelective ARGS 444
> 
>     # Another test filter, will be denied with 404 but not logged
>     # action supplied as a parameter overrides the default action
>     SecFilter 999 "deny,nolog,status:500"
> 
> Mostly stolen from various articles and docs.
> 
> Thanks for any tips.
> -jeremy
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 