Apache Modsecurity can be configured to provide different passive response, an email alert is one of it. To get this done, we need to have mail service enabled in our host server. Generally an installation of Postfix or similar application will do the task.
Configuration steps
1. Create a emailing script and place it anywhere in the server. There in the following examples we have created a folder "my_test_rules" and placed my custom email script.
# cd /usr/share/modsecurity-crs/my_test_rules
#nano send_simple_email_alert.sh
2. Write a custom rule that will execute the email script when triggered like sample rule below:
#nano test_request_headers_and_send_email.conf
SecRule REQUEST_HEADERS:User-Agent "FAKE-USER" "deny,log,id:'1234123457',exec:/usr/share /modsecurity-crs/my_test_rules/send_simple_email_alert.sh"
3. Add the Sym link of the custom rule in the activated_rules directory under /usr/share/modsecurity-crs
#cd /usr/share/modsecurity-crs/activated_rules
#ln -s ../my_test_rules/test_request_headers_and_send_email.conf
4. Reload Apache
#service apache2 restart
We can send detail email with the use of variables and directives of the ModSecurity firewall. An example below:
send_detail_email_alert.sh
#!/bin/sh
echo "False user tried to access the web application: Server: \
$SERVER Attacking IP: $REMOTEIP Attacking host: $REMOTEHOST \
Request URI: $REQUESTURI Arguments: $ARGS Unique ID: $UNIQUEID RuleTriggered: $RULE \
Time: `date '+%D %H:%M'`" | mail -s "local server under attack" your_email@domain.com \
echo Done.
test_request_headers_and_send_detail_email.conf
SecRule REQUEST_HEADERS:User-Agent "FALSE-USER" "deny,log,id:'1234123499',setenv:SERVER=%{SERVER_ADDR}, \
setenv:REMOTEIP=%{REMOTE_ADDR},setenv:REQUESTURI=%{REQUEST_URI},setenv:ARGS=%{ARGS}, \
setenv:UNIQUEID=%{UNIQUE_ID},setenv:RULE=%{rule.id}, \
exec:/usr/share/modsecurity-crs/my_test_rules/send_alert_email_false-user.sh"
Configuration steps
1. Create a emailing script and place it anywhere in the server. There in the following examples we have created a folder "my_test_rules" and placed my custom email script.
# cd /usr/share/modsecurity-crs/my_test_rules
#nano send_simple_email_alert.sh
#!/bin/sh
echo "Fake user tried to access the web application" | mail -s "server under attack" your_email@domain.com
echo Done.
echo "Fake user tried to access the web application" | mail -s "server under attack" your_email@domain.com
echo Done.
2. Write a custom rule that will execute the email script when triggered like sample rule below:
#nano test_request_headers_and_send_email.conf
SecRule REQUEST_HEADERS:User-Agent "FAKE-USER" "deny,log,id:'1234123457',exec:/usr/share /modsecurity-crs/my_test_rules/send_simple_email_alert.sh"
3. Add the Sym link of the custom rule in the activated_rules directory under /usr/share/modsecurity-crs
#cd /usr/share/modsecurity-crs/activated_rules
#ln -s ../my_test_rules/test_request_headers_and_send_email.conf
4. Reload Apache
#service apache2 restart
We can send detail email with the use of variables and directives of the ModSecurity firewall. An example below:
send_detail_email_alert.sh
#!/bin/sh
echo "False user tried to access the web application: Server: \
$SERVER Attacking IP: $REMOTEIP Attacking host: $REMOTEHOST \
Request URI: $REQUESTURI Arguments: $ARGS Unique ID: $UNIQUEID RuleTriggered: $RULE \
Time: `date '+%D %H:%M'`" | mail -s "local server under attack" your_email@domain.com \
echo Done.
test_request_headers_and_send_detail_email.conf
SecRule REQUEST_HEADERS:User-Agent "FALSE-USER" "deny,log,id:'1234123499',setenv:SERVER=%{SERVER_ADDR}, \
setenv:REMOTEIP=%{REMOTE_ADDR},setenv:REQUESTURI=%{REQUEST_URI},setenv:ARGS=%{ARGS}, \
setenv:UNIQUEID=%{UNIQUE_ID},setenv:RULE=%{rule.id}, \
exec:/usr/share/modsecurity-crs/my_test_rules/send_alert_email_false-user.sh"
