Skip to content

Calling Lua script #1869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cyberblackhole opened this issue Aug 9, 2018 · 3 comments
Closed

Calling Lua script #1869

cyberblackhole opened this issue Aug 9, 2018 · 3 comments
Assignees
@victorhora
Labels
3.x Related to ModSecurity version 3.x RIP - libmodsecurity RIP - Type - Usage Related with usage (not a bug)

Comments

@cyberblackhole
Copy link

Past 2 days i'm stuck in calling Lua script. Please let me know what is wrong in this rule. I have tried several variations

Variation 1:
SecRule REQUEST_METHOD "POST" phase:2, id:22, pass, exec:/etc/apache2/lua/test.lua

Variation 2:

SecRule REQUEST_FILENAME "^/getprotected\.php$" phase:2,id:20001,chain
               SecRuleScript /etc/apache2/lua/test.lua \
                                    phase:2,id:2002

contents of /etc/apache2/lua/test.lua

#!/usr/bin/lua
function main()
            m.log(1,"Starting script execution \n")
            local fileHandle = assert(io.open('/tmp/lua_output.txt','a'))
            fileHandle:write("---MODSECURITY ---\n")
            m.log(1,"Script execution finished\n")
end
@DenysFrasinich
Copy link

Does yours modsecurity compiled with support of lua?
I also spent a day trying to call script before i realised that package "libmodsecurity" from CentOS 7 repo doesn't have lua support at all.

@cyberblackhole
Copy link
Author

Yeah.. Even I had the same question.. so I went on to re install them to make sure LUA dependency is satisfied...

Guess what.. Now I can call LUA scripts. I forgot to change the ownership of the script file to www-data...

@victorhora victorhora self-assigned this Aug 14, 2018
@victorhora victorhora added RIP - libmodsecurity 3.x Related to ModSecurity version 3.x RIP - Type - Usage Related with usage (not a bug) labels Aug 14, 2018
@victorhora
Copy link
Contributor

Indeed. Information about LUA support (if enabled/disabled) build will be available on the configure script like so:


...
configure: LUA library found at: /usr/lib/x86_64-linux-gnu//libluajit-5.1.so
configure: LUA headers found at: /usr/include/luajit-2.0
configure: LUA version from includes: 501
configure: using LUA -lluajit-5.1
...

   + LUA                                           ....found v501
      -lluajit-5.1 -L/usr/lib/x86_64-linux-gnu/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include/luajit-2.0

Also, the logs should have shown that LUA is support is not enabled when trying to execute a LUA script without LUA support. (Let us know if it's not the case).

About CentOS, indeed it seems like LUA is not supported on CentOS7 package as I can't see it on the list of "Requires".

It could be due to CentOS shipping by default with an older version of Lua (5.1) which was not supported by libModSecurity up until recently. See #1622 for detailed information on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@victorhora victorhora

Labels
3.x Related to ModSecurity version 3.x RIP - libmodsecurity RIP - Type - Usage Related with usage (not a bug)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@victorhora @cyberblackhole @DenysFrasinich