Re: [mod-security-users] execute a script for all rules

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Dear Franziska,

Many thanks for your hint. It seems to be reasonable for what I want to 
achieve.

Sorry, that I didn't explain well what's my goal. But let me try again.

Whenever a rule is triggered then a script should be executed. For 
example what I have seen several times. Someone does some nasty things 
and one or more standard rules are blocking this attack. Great. But 
later on the same IP is looking around. Maybe triggering other rules or 
not. Therefore I want to block this IP in the firewall for a certain 
time. I hope this explains better.

When you say I should write a rule checking the score then this rule 
should be available for all Apache virtuell servers. Because I don't 
want to modify all Apache configs. Till now I wrote rules specific for a 
server within the Apache config. Is there a location to place a self 
written rule for all servers ?

Any help is welcome.

Kind regards

Hans

-- 

On 21.03.24 13:07, Franziska Buehler wrote:
> Hi Hans!
>
> To me, it's not clear what you're trying to achieve.
> You would probably have to write a new rule that checks whether rules 
> have matched and therefore the blocking variables inbound or outbound 
> (e.g. tx.blocking_inbound_anomaly_score) are set. And then you "exec:" 
> and call your script in this new rule.
> You can't test for individual rules, or at least I don't see how that 
> could work right now.
>
> Best,
> Franziska
> # CRS dev-on-duty
>
> Am Mi., 20. März 2024 um 21:03 Uhr schrieb Hans Mayer via 
> mod-security-users <mod...@li...>:
>
>
>     Dear All,
>
>     I am using Apache/2.4.57 on Debian with the modsecurity-crs package
>     which is Producer ModSecurity for Apache/2.9.3 and Rule Set
>     OWASP_CRS/3.3.0
>
>     With self written rules I have the possibility to execute a script
>     with
>     the "exec:" statement.
>
>     Is there a way to execute a script for all these predefined rules if
>     they are triggered ?
>
>
>     Kind regards
>
>     Hans
>
>     -- 
>
>
>
>
>
>
>
>     _______________________________________________
>     mod-security-users mailing list
>     mod...@li...
>     https://lists.sourceforge.net/lists/listinfo/mod-security-users
>     Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>     http://www.modsecurity.org/projects/commercial/rules/
>     http://www.modsecurity.org/projects/commercial/support/
>