[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] Lua rule action
From: Ryan Barnett <RBarnett () trustwave ! com>
Date: 2010-11-07 14:45:13
Message-ID: 5AE4303B-70A6-45AE-AD82-2343BB4533ED () trustwave ! com
[Download RAW message or body]
The exec action is non-disruptive and can be in any line of a chained rule.
Move it to the end of the chained rule and it should work as you want.
--
Ryan
On Nov 7, 2010, at 8:43 AM, "R.A.Imhoff" <lists@flashgenie.net> wrote:
> Hello
>
> I found my error in the Lua functioning: my ModSecurity installation didn't have \
> Lua support correctly enabled.
> Now I came upon what appears to be an inconsistent behavior of the exec directives \
> in chained rules, for example:
> SecRule REQUEST_URI "@pm SELECT" "chain,drop,log,exec:/sbin/block.lua,msg:'sql \
> inject - blacklisted',severity:'2',id:'414083'" SecRule REQUEST_URI "@pm UNION"
>
> I.e., to blacklist requests that contain both SELECT and UNION.
>
> If I test it with a request containing both select and union, the rule fires as \
> expected, gets logged, and the Lua script executes. But a request containing only \
> "select" and not "union" still triggers the Lua script though it doesn't get \
> logged. It seems, if only the first rule of the chain matches, then the exec part \
> still gets executed -- am I doing something wrong ?
>
> ------------------------------------------------------------------------------
> The Next 800 Companies to Lead America's Growth: New Video Whitepaper
> David G. Thomson, author of the best-selling book "Blueprint to a
> Billion" shares his insights and actions to help propel your
> business during the next growth cycle. Listen Now!
> http://p.sf.net/sfu/SAP-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic