[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    Re: [mod-security-users] Lua rule action
From:       Ryan Barnett <RBarnett () trustwave ! com>
Date:       2010-11-07 14:45:13
Message-ID: 5AE4303B-70A6-45AE-AD82-2343BB4533ED () trustwave ! com
[Download RAW message or body]

The exec action is non-disruptive and can be in any line of a chained rule. 
Move it to the end of the chained rule and it should work as you want. 

--
Ryan

On Nov 7, 2010, at 8:43 AM, "R.A.Imhoff" <lists@flashgenie.net> wrote:

> Hello 
> 
> I found my error in the Lua functioning: my ModSecurity installation didn't have \
> Lua support correctly enabled. 
> Now I came upon what appears to be an inconsistent behavior of the exec directives \
> in chained rules, for example: 
> SecRule REQUEST_URI "@pm SELECT" "chain,drop,log,exec:/sbin/block.lua,msg:'sql \
> inject - blacklisted',severity:'2',id:'414083'" SecRule REQUEST_URI "@pm UNION" 
> 
> I.e., to blacklist requests that contain both SELECT and UNION.
> 
> If I test it with a request containing both select and union, the rule fires as \
> expected, gets logged, and the Lua script executes. But a request containing only \
> "select" and not "union" still triggers the Lua script though it doesn't get \
> logged. It seems, if only the first rule of the chain matches, then the exec part \
> still gets executed -- am I doing something wrong ? 
> 
> ------------------------------------------------------------------------------
> The Next 800 Companies to Lead America's Growth: New Video Whitepaper
> David G. Thomson, author of the best-selling book "Blueprint to a 
> Billion" shares his insights and actions to help propel your 
> business during the next growth cycle. Listen Now!
> http://p.sf.net/sfu/SAP-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
> 


------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html


[prev in list] [next in list] [prev in thread] [next in thread]